[Snort-users] rule question

Italo Antonio imigotto at ...3348...
Tue Sep 25 09:28:04 EDT 2001


try:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 3052 (msg:"WEB-MISC APC
Network dot dot Bug"; uricontent:"/\../\../\../\..\/\../WINNT/repair/";
flags:A+; class type:attempted-admin;)

cdowns wrote:

> I have created this rule for one of my IDS boxses but there is
> something wrong does anyone see what could be wrong with this ? im
> overlooking something simple im sure.
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 3052 (msg:WEB-MISC APC
> Network dot dot Bug";
> uricontent:"/\../\../\../\..\/\../WINNT/repair/"; flags:A+; class
> type:attempted-admin;)
>
> thanks
> -D
> --





More information about the Snort-users mailing list