[Snort-users] rule question

Wayne T Work wwork at ...3179...
Tue Sep 25 10:58:02 EDT 2001

Try this   Not sure what the sid is but it will help

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 3052 (msg:"WEB-MISC APC 
Network dot dot Bug"; urlcontent:"/\../\../\../\..\/\../WINNT/repair/"; 
flags: A+; classtype:attempted-admin; sid:  ; rev:1;)

At 11:44 AM 9/25/2001 -0400, cdowns wrote:
>I have created this rule for one of my IDS boxses but there is something 
>wrong does anyone see what could be wrong with this ? im overlooking 
>something simple im sure.
>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 3052 (msg:WEB-MISC APC 
>Network dot dot Bug"; uricontent:"/\../\../\../\..\/\../WINNT/repair/"; 
>flags:A+; class
>  Network Security Administrator
>      Christopher M Downs
>     Skillsoft Corporation
>   <http://www.skillsoft.com>http://www.skillsoft.com
>"you can't point and click your
>  way to super cracker status -"

Wayne T Work
Manager of Information Systems Security
Cybergnostic.net, Inc.
(O) 203-331-4417
(C) 203-217-5004
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010925/285bcc18/attachment.html>

More information about the Snort-users mailing list