[Snort-sigs] 2 WEB-IIS unicode directory rules

Mark markmormartin at ...1934...
Fri Aug 6 07:40:07 EDT 2004


I saw in the WEB-ISS  that there are two 
WEB-IIS unicode directory traversal attempt rules, I understand that
they are looking for different content, but wouldn't it be nice if they
had a different message 

 $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode
directory traversal attempt"; flow:to_server,established;
content:"/..%c1%9c../"; nocase; reference:bugtraq,1806;
reference:cve,2000-0884; classtype:web-application-attack; sid:983;
rev:9;)

web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-IIS unicode directory traversal attempt";
flow:to_server,established; content:"/..%c0%af../"; nocase;
reference:bugtraq,1806; reference:cve,2000-0884;
classtype:web-application-attack; sid:981; rev:9;)






More information about the Snort-sigs mailing list