[Snort-users] order of matching rules
cmg at ...950...
Tue Oct 22 18:40:02 EDT 2002
archana rao <archuatdavis at ...131...> writes:
> When I use Snort to detect the attacks towards an IIS
> server which uses the URI:
> GET /scripts/..%c0%af../winnt/system32/cmd.exe/c+"
> why does it raise the alert:
> "WEB--IIS cmd.exe access" with sid:1002 that looks for
> and not the alert:
> "WEB-IIS File permission canonicalization" with
> sid:981 that looks for
%c0%af was probably written before we decoded that uri type. It's
worth investigating further but the uris are normalized so detecting
it as a raw decode is problematic.
Chris Green <cmg at ...1935...>
Fame may be fleeting but obscurity is forever.
More information about the Snort-users