[Snort-sigs] New sig for detecting a Zip file contains directory traversal

rmkml rmkml at ...4129...
Mon Nov 14 14:08:53 EST 2016


Hi,

Please check a new sig, created old 8 years ago, for detecting a Zip file contains directory traversal:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT ZIP filename dir traversal attempt"; flow:to_client,established; file_data; 
content:"PK|03 04|"; within:4; distance:0; content:".."; within:30; distance:26; pcre:"/^PK\x03\x04.{26}.{0,30}\.\.(?:\\|\/|\%2[fF]|\%5[cC])/sm"; 
reference:url,www.exploit-db.com/exploits/40741/; reference:cve,2015-5662; reference:cve,2015-1080; reference:cve,2008-5275; reference:cve,2007-4545; 
reference:bugtraq,25419; reference:cve,2007-2058; reference:bugtraq,23471; reference:cve,2006-2520; reference:bugtraq,18065; reference:osvdb,25693; 
reference:cve,2006-1323; reference:bugtraq,17153; reference:cve,2006-0932; reference:cve,2006-0890; reference:cve,2005-3484; reference:bugtraq,15288; 
reference:cve,2005-2670; reference:bugtraq,14606; reference:cve,2005-2619; reference:bugtraq,16576; reference:osvdb,23066; reference:cve,2005-0331; 
reference:bugtraq,12422; reference:cve,2005-0329; reference:bugtraq,12419; reference:cve,2005-0304; reference:bugtraq,12332; reference:cve,2005-0213; 
reference:bugtraq,12176; reference:cve,2001-1268; classtype:web-application-activity; sid:1; rev:1;)

Don't forget check variables.

Please send any comments.

Regards
@Rmkml




More information about the Snort-sigs mailing list