[Snort-users] order of matching rules

Chris Green cmg at ...950...
Tue Oct 22 18:40:02 EDT 2002

archana rao <archuatdavis at ...131...> writes:

> When I use Snort to detect the attacks towards an IIS
> server which uses the URI:
> GET /scripts/..%c0%af../winnt/system32/cmd.exe/c+"
> why does it raise the alert:
> "WEB--IIS cmd.exe access" with sid:1002 that looks for
> content:"cmd.exe"
> and not the alert:
> "WEB-IIS File permission canonicalization" with
> sid:981 that looks for
> uricontent:"/scripts/..%c0%af../"?
> Archana

%c0%af was probably written before we decoded that uri type.  It's
worth investigating further but the uris are normalized so detecting
it as a raw decode is problematic.
Chris Green <cmg at ...1935...>
Fame may be fleeting but obscurity is forever.

More information about the Snort-users mailing list