[Snort-users] WEB-MISC http directory traversal - False positive?

Joel Esler eslerj at ...11827...
Thu Aug 14 08:59:17 EDT 2008


It's rather hard to troubleshoot why a rule is firing, if the packet  
isn't available.

Joel

On Aug 14, 2008, at 5:24 AM, Jesper Skou Jensen wrote:

> Hi guys,
>
> Our Snort regularly report "WEB-MISC http directory traversal" and I
> believe that it's a false positive. I hope some of you guys can help  
> me
> out in analysing this.
>
> Here is the rule that's getting triggered:
>
> rules/web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
> $HTTP_PORTS (msg:"WEB-MISC http directory traversal";
> flow:to_server,established; content:"..|5C|"; reference:arachnids,298;
> classtype:attempted-recon; sid:1112; rev:6;)
>
> As far as I can see in the captured packet "..|5C|" or "..\" "5C" or
> even "\" is nowhere to be found in the actual packet-dump. There is a
> bunch of ".." but they appear to be legit parts of the http header. I
> would have expected to find either one in the dump, and I'm trying to
> find out why this rule is getting triggered.
>
>
> We are logging via Barnyard and here is the header from the log. The
> actual packet payload has been stripped out for security reasons.
>
> [**] [1:1112:6] WEB-MISC http directory traversal [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> [Xref => http://www.whitehats.com/info/IDS298]
> Event ID: 1027122     Event Reference: 1027122
> 08/14/08-08:08:42.106881 [REMOVED]:30111 -> [REMOVED]:80
> TCP TTL:53 TOS:0x0 ID:16356 IpLen:20 DgmLen:863
> ***AP*** Seq: 0x11BD2580  Ack: 0xEACE3C2  Win: 0xFFFF  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 47859088 297178
>
>
> Any ideas why this is getting triggered?
>
>
> -- 
>
> Jesper S. Jensen
> Uni-C - Århus, Danmark
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's  
> challenge
> Build the coolest Linux based applications with Moblin SDK & win  
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in  
> the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Joel Esler
  http://blog.joelesler.nethttp://www.dearcupertino.com
[m]



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080814/444bd907/attachment.html>


More information about the Snort-users mailing list