[Snort-users] WEB-MISC http directory traversal - False positive?

Jesper Skou Jensen jesper.skou.jensen at ...1273...
Thu Aug 14 05:24:05 EDT 2008

Hi guys,

Our Snort regularly report "WEB-MISC http directory traversal" and I 
believe that it's a false positive. I hope some of you guys can help me 
out in analysing this.

Here is the rule that's getting triggered:

rules/web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 
$HTTP_PORTS (msg:"WEB-MISC http directory traversal"; 
flow:to_server,established; content:"..|5C|"; reference:arachnids,298; 
classtype:attempted-recon; sid:1112; rev:6;)

As far as I can see in the captured packet "..|5C|" or "..\" "5C" or 
even "\" is nowhere to be found in the actual packet-dump. There is a 
bunch of ".." but they appear to be legit parts of the http header. I 
would have expected to find either one in the dump, and I'm trying to 
find out why this rule is getting triggered.

We are logging via Barnyard and here is the header from the log. The 
actual packet payload has been stripped out for security reasons.

[**] [1:1112:6] WEB-MISC http directory traversal [**]
[Classification: Attempted Information Leak] [Priority: 2]
[Xref => http://www.whitehats.com/info/IDS298]
Event ID: 1027122     Event Reference: 1027122
08/14/08-08:08:42.106881 [REMOVED]:30111 -> [REMOVED]:80
TCP TTL:53 TOS:0x0 ID:16356 IpLen:20 DgmLen:863
***AP*** Seq: 0x11BD2580  Ack: 0xEACE3C2  Win: 0xFFFF  TcpLen: 32
TCP Options (3) => NOP NOP TS: 47859088 297178

Any ideas why this is getting triggered?


Jesper S. Jensen
Uni-C - Århus, Danmark

More information about the Snort-users mailing list