[Snort-users] http directory traversal

Brian bmc at ...950...
Fri Nov 16 06:22:10 EST 2001


According to RAMALINGA Reddy:
> Hi,
> 	I started using snort along with the rules that come with it. There
> is one rule in web-misc.rules that reports "WEB-MISC http directory
> traversal" if the content is either "..\\" or "../". I think this rule
> should be looking for the same in uricontent rather than in content. Is
> there any reason why it is looking in the content ? Please clarify.

Yes, there is a reason for looking in the entire packet.  Did you read the 
mail archives?  I answered this question quite some time ago.

Form variables are the one of the most exploited "issue" for web 
applications.  Directory traversal happens in form variabes quite
often.  Because of this, we want to look for the "../" inside of form
variables, which can be sent to the web server via HTTP POST.  HTTP
POST does not include variables in the URI.  

Limiting the content search to the URI would miss a large number of
attacks.

-- 
If North America were a turkey club at a diner, canada'd be the plate.  Big,
white, and there, but out of the way, and you never really think about it.
And the plate's not as important as it thinks.





More information about the Snort-users mailing list