[Snort-sigs] false positive: WEB-FRONTPAGE fourdots request
mkettler at ...189...
Tue Oct 7 15:14:06 EDT 2003
At 04:59 PM 10/7/2003, Hugo van der Kooij wrote:
>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
>(msg:"WEB-FRONTPAGE fourdots request"; flow:to_server,established;
>content: "|2e 2e 2e 2e 2f|"; nocase; reference:bugtraq,989;
>classtype:web-application-attack; sid:966; rev:5;)
What's with the all these rules which consist entirely of ASCII text are
written in hex format for no particularly good reason? What kind of drugs
do you need to be on to think that "|2e 2e 2e 2e 2f|" is a better idea than
Perhaps it's just copy-paste laziness from hex packet dumps, but it's
really quite silly and makes the intent of the rule significantly harder to
I don't write my emails in |68 65 78| do I?
The actual bug here appears to be that someone failed to use uricontent
instead of content where they should have. The original vulnerability only
pertains to the frontpage personal webserver following URL's containing
four dots as a form of directory traversal. Thus the string will only ever
appear in a URI. The false positive you saw was clearly not part of a URI,
and was part of general http communications.
I think the following replacement rule should work better, and is
significantly more readable too.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
(msg:"WEB-FRONTPAGE directory traversal fourdots request";
uricontent: "..../"; nocase; reference:bugtraq,989; \
reference:cve,CAN-2000-0153; reference:arachnids,248; \
classtype:web-application-attack; sid:1000966; rev:6;) \
Note that I changed the SID by adding 1,000,000 to it, since this isn't an
More information about the Snort-sigs