[Snort-users] Odd rule

Ralf Hildebrandt Ralf.Hildebrandt at ...22...
Thu Aug 31 10:04:26 EDT 2000


Today I got this:
=================

Aug 31 13:07:15 stahlw06 snort[161]: IDS298 - WEB MISC - http-directory-traversal 2: 212.84.196.8:4380 -> 134.169.69.226:80      

The packet dump:
================

[**] IDS298 - WEB MISC - http-directory-traversal 2 [**]
08/31-13:07:15.089608 212.84.196.8:4380 -> xxx.xxx.xx.xxx:80
TCP TTL:57 TOS:0x0 ID:28309  DF
*****PA* Seq: 0x64FCE28E   Ack: 0x6CBCCCDE   Win: 0x7D78
61 64 6D 69 6E 70 77 3D xx xx xx xx xx xx xx xx  adminpw=xxxxxxx&
72 65 71 75 65 73 74 5F 6C 6F 67 69 6E 3D 4C 65  request_login=Le
74 2B 6D 65 2B 69 6E 2E 2E 2E                    t+me+in...
 
The question:
=============

alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS298 - WEB MISC - http-directory-traversal 2"; flags:PA; content: "..\";)

Why does that rule match? I see no "..\" in the above packet dump!

-- 
ralf.hildebrandt at ...22...
Dipl.-Informatiker                                       innominate AG
system engineer                                      networking people
tel: +49.30.308806-62  fax: -77   http://innominate.de  pgp at request
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 350 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20000831/89462ea2/attachment.sig>


More information about the Snort-users mailing list