[Snort-users] uricontent misbehaving?

Brian bmc at ...950...
Tue Nov 6 04:17:12 EST 2001


According to dan.ellis at ...3983...:
> Date:01/11 18:43:59 Name:WEB-MISC readme.eml attempt
> Priority:8 Type:Attempted User Privilege Gain
> IP info: xxx.xxx.xxx.xxx:80 -> yyy.yyy.yyy.yyy:62689
> References: 1
> 
> which apparently came from the rule:
> 
> Alert tcp $EXTERNAL_NET 80 -> $HOME_NET any \
>     (msg:"WEB-MISC readme.eml attempt"; \
>     flags:A+; uricontent:"readme.eml"; nocase; \
>     classtype:attempted-user; sid:1284; rev:3; \
>     reference:url,www.cert.org/advisories/CA-2001-26.html;)
> 
> (xxx... is our web server.)
> 
> I'm not very familiar with snort, but from what I've just read in the
> documentation the 'uricontent' bit is supposed to match only on
> the URI of requests. However, this was a response packet from our
> web server. Of course, several of our pages contain the text "readme.eml",
> but I don't see how this rule could have triggered unless it was
> mistakenly matching as 'content' instead of 'uricontent'. Has 'uricontent'
> been known to misbehave in this way?

Actually, that makes sense.  If they are not using http_decode, then
the URICONTENT never gets set for the session.  If you are not using
http_decode, then it will trigger on any packet on port 80 that
includes the string of readme.eml.

-brian





More information about the Snort-users mailing list