[Snort-users] WEB-MISC http directory traversal - False positive?

Jesper Skou Jensen jesper.skou.jensen at ...1273...
Thu Aug 14 09:46:55 EDT 2008

Yea I realize that, but there is somewhat sensitive material in the dump 
that I didn't want to send to this list.

But the most interesting part of the rule is content:"..|5C|"

Wouldn't it mean that for this rule to fire this specific string would 
have to be in the packet?

As stated below that is not the case here, and that is quite weird imo.


Jesper S. Jensen
Uni-C - Århus, Danmark

Joel Esler wrote:
> It's rather hard to troubleshoot why a rule is firing, if the packet 
> isn't available.
> Joel
> On Aug 14, 2008, at 5:24 AM, Jesper Skou Jensen wrote:
>> Hi guys,
>> Our Snort regularly report "WEB-MISC http directory traversal" and I
>> believe that it's a false positive. I hope some of you guys can help me
>> out in analysing this.
>> Here is the rule that's getting triggered:
>> rules/web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
>> $HTTP_PORTS (msg:"WEB-MISC http directory traversal";
>> flow:to_server,established; content:"..|5C|"; reference:arachnids,298;
>> classtype:attempted-recon; sid:1112; rev:6;)
>> As far as I can see in the captured packet "..|5C|" or "..\" "5C" or
>> even "\" is nowhere to be found in the actual packet-dump. There is a
>> bunch of ".." but they appear to be legit parts of the http header. I
>> would have expected to find either one in the dump, and I'm trying to
>> find out why this rule is getting triggered.
>> We are logging via Barnyard and here is the header from the log. The
>> actual packet payload has been stripped out for security reasons.
>> [**] [1:1112:6] WEB-MISC http directory traversal [**]
>> [Classification: Attempted Information Leak] [Priority: 2]
>> [Xref => http://www.whitehats.com/info/IDS298]
>> Event ID: 1027122     Event Reference: 1027122
>> 08/14/08-08:08:42.106881 [REMOVED]:30111 -> [REMOVED]:80
>> TCP TTL:53 TOS:0x0 ID:16356 IpLen:20 DgmLen:863
>> ***AP*** Seq: 0x11BD2580  Ack: 0xEACE3C2  Win: 0xFFFF  TcpLen: 32
>> TCP Options (3) => NOP NOP TS: 47859088 297178
>> Any ideas why this is getting triggered?
>> -- 
 >> Jesper S. Jensen
 >> Uni-C - Århus, Danmark

More information about the Snort-users mailing list