[Snort-users] Directory Traversal

Erek Adams erek at ...577...
Sun Sep 30 18:25:01 EDT 2001

On Sun, 30 Sep 2001, Jim Kipp wrote:

> Yes, I kow where the rule is, but I still don't know what it is exactly
> for. It does look IIS related, because in the payload there are GET
> ../cmd.exe blah blah

If the rule you're refering to is:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC http directory
traversal"; flags: A+; content: "..\\";reference:arachnids,298;
classtype:attempted-recon; sid:1112; rev:1;)

Then it translates into:  Someone used URL with "..\\" in it.  If it's got
cmd.exe tacked onto it, I'd say it is something like CR or Nimda.

Could you post the packet payload?  Sanitized of course! :)

Erek Adams

More information about the Snort-users mailing list