[Snort-sigs] FP on sid=535

Jason Haar Jason.Haar at ...651...
Mon Mar 15 08:44:16 EST 2004


I've just had a bunch of these occur.

SID=535 reads:

circumvent directory access control by trying to change to the "..." directory

Well I think it can trigger when there are lots of dots in the filename too.
(see the "2E 2E 2E 00 00 00 00 C0"). We have just upgraded to 2.1.1 and am
getting this triggering on what I assume is normal traffic


C.x{D...D.? A.j.
3d0 : 41 00 A0 39 43 00 04 4F 43 00 73 6F 66 74 77 61   A..9C..OC.softwa
3e0 : 72 65 00 00 00 00 5C 2E 2E 2E 00 00 00 00 C0 7B   re....\........{
3f0 : 44 00 51 A6 43 00 E0 A5 43 00 92 A7 43 00 2A AA   D.Q.C...C...C.*.
400 : 43 00 AC A9 43 00 1C A5 43 00 26 25 64 20 00 00   C...C...C.&%d ..
410 : 00 00 2E 49 4E 49 00 00 00 00 2E 48 4C 50 00 00   ..INI.....HLP..


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-sigs mailing list