[Snort-users] Directory Traversal
erek at ...577...
Sun Sep 30 18:25:01 EDT 2001
On Sun, 30 Sep 2001, Jim Kipp wrote:
> Yes, I kow where the rule is, but I still don't know what it is exactly
> for. It does look IIS related, because in the payload there are GET
> ../cmd.exe blah blah
If the rule you're refering to is:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC http directory
traversal"; flags: A+; content: "..\\";reference:arachnids,298;
classtype:attempted-recon; sid:1112; rev:1;)
Then it translates into: Someone used URL with "..\\" in it. If it's got
cmd.exe tacked onto it, I'd say it is something like CR or Nimda.
Could you post the packet payload? Sanitized of course! :)
More information about the Snort-users