[Snort-users] WEB-MISC http directory traversal - False positive?
Jesper Skou Jensen
jesper.skou.jensen at ...1273...
Thu Aug 14 05:24:05 EDT 2008
Our Snort regularly report "WEB-MISC http directory traversal" and I
believe that it's a false positive. I hope some of you guys can help me
out in analysing this.
Here is the rule that's getting triggered:
rules/web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:"WEB-MISC http directory traversal";
flow:to_server,established; content:"..|5C|"; reference:arachnids,298;
classtype:attempted-recon; sid:1112; rev:6;)
As far as I can see in the captured packet "..|5C|" or "..\" "5C" or
even "\" is nowhere to be found in the actual packet-dump. There is a
bunch of ".." but they appear to be legit parts of the http header. I
would have expected to find either one in the dump, and I'm trying to
find out why this rule is getting triggered.
We are logging via Barnyard and here is the header from the log. The
actual packet payload has been stripped out for security reasons.
[**] [1:1112:6] WEB-MISC http directory traversal [**]
[Classification: Attempted Information Leak] [Priority: 2]
[Xref => http://www.whitehats.com/info/IDS298]
Event ID: 1027122 Event Reference: 1027122
08/14/08-08:08:42.106881 [REMOVED]:30111 -> [REMOVED]:80
TCP TTL:53 TOS:0x0 ID:16356 IpLen:20 DgmLen:863
***AP*** Seq: 0x11BD2580 Ack: 0xEACE3C2 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 47859088 297178
Any ideas why this is getting triggered?
Jesper S. Jensen
Uni-C - Århus, Danmark
More information about the Snort-users