[Snort-users] APC dot dot bug (Network Shutdown)

cdowns cdowns at ...3622...
Wed Sep 26 19:51:03 EDT 2001


Ok i got this rule to work just fine like this. I captured the payload
and verified the hex output which is:

payload first request:
0x0040   2e2f 5749 4e4e 542f 7265 7061 6972 2f20        ./WINNT/repair/.

payload second request:
0x0040   2e2f 5749 4e4e 542f 7265 7061 6972 2f20        ./WINNT/repair/.

I have not seen this rule in the rules0727 but this does not mean it is
not available.If it is please disregard this message.as i am not
currently on the sig list.

rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 3052 (msg:"WEB-MISC APC
Network dot dot Bug"; flags: A+; content:"|2e2f 5749 4e4e 542f 7265 7061
6972 2f20|"; classtype:attempted-admin;)

output:
[**] [1:0:0] WEB-MISC APC Network dot dot Bug [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 10]
09/26-22:20:40.154508 10.0.4.25:1336 -> 64.28.89.35:3052
TCP TTL:128 TOS:0x0 ID:22391 IpLen:20 DgmLen:354 DF
***AP*** Seq: 0xCFC6F4C9  Ack: 0x7C55442F  Win: 0x4510  TcpLen: 20

Thanks for those who responded.
-D


---------------------------------
Network Security Administrator
    http://www.skillsoft.com
     cdowns at ...1892...
 "You can't point and click your
  way to super cracker status"
---------------------------------





More information about the Snort-users mailing list