[Snort-users] uricontent misbehaving?
kramert at ...3975...
Fri Nov 2 11:27:02 EST 2001
The "readme.eml" rule (in this case) was probably written
in response to the Nimda worm which infects web servers so
bottom of the web page. The additional code causes a new
browser window to be opened will off the visible portion of
the desktop (location 6000,6000) and to download a file
called "readme.eml". The actual code that gets added to the
window.open("readme.eml", null, "resizable=no,top=6000,left=6000")
The act of visiting the infected website causes an additional
HTTP request. This also makes it easy to detect (via Snort)
and/or easy to block (via Squid).
Hope this helps,
On Fri, 2001-11-02 at 13:21, dan.ellis at ...3983... wrote:
> I'm not actually a snort user, but I'm trying to respond to a log I was
> Date:01/11 18:43:59 Name:WEB-MISC readme.eml attempt
> Priority:8 Type:Attempted User Privilege Gain
> IP info: xxx.xxx.xxx.xxx:80 -> yyy.yyy.yyy.yyy:62689
> References: 1
> which apparently came from the rule:
> Alert tcp $EXTERNAL_NET 80 -> $HOME_NET any \
> (msg:"WEB-MISC readme.eml attempt"; \
> flags:A+; uricontent:"readme.eml"; nocase; \
> classtype:attempted-user; sid:1284; rev:3; \
> (xxx... is our web server.)
> I'm not very familiar with snort, but from what I've just read in the
> documentation the 'uricontent' bit is supposed to match only on
> the URI of requests. However, this was a response packet from our
> web server. Of course, several of our pages contain the text "readme.eml",
> but I don't see how this rule could have triggered unless it was
> mistakenly matching as 'content' instead of 'uricontent'. Has 'uricontent'
> been known to misbehave in this way?
> Any information greatly appreaciated.
> Dan Ellis, Software Engineer Sophos Anti-Virus
> email: dan.ellis at ...3983... http://www.sophos.com
> US Support: +1 888 SOPHOS 9 UK Support: +44 1235 559933
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users