[Snort-users] WEB-MISC http directory traversal - False positive?
eslerj at ...11827...
Thu Aug 14 09:49:45 EDT 2008
If you aren't comfortable with emailing the packet to the list, file a
formal false positive report with the VRT at sourcefire dot com,
include the full packet dump, and they will take a look.
On Aug 14, 2008, at 9:46 AM, Jesper Skou Jensen wrote:
> Yea I realize that, but there is somewhat sensitive material in the
> that I didn't want to send to this list.
> But the most interesting part of the rule is content:"..|5C|"
> Wouldn't it mean that for this rule to fire this specific string would
> have to be in the packet?
> As stated below that is not the case here, and that is quite weird
> Jesper S. Jensen
> Uni-C - Århus, Danmark
> Joel Esler wrote:
>> It's rather hard to troubleshoot why a rule is firing, if the packet
>> isn't available.
>> On Aug 14, 2008, at 5:24 AM, Jesper Skou Jensen wrote:
>>> Hi guys,
>>> Our Snort regularly report "WEB-MISC http directory traversal" and I
>>> believe that it's a false positive. I hope some of you guys can
>>> help me
>>> out in analysing this.
>>> Here is the rule that's getting triggered:
>>> rules/web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
>>> $HTTP_PORTS (msg:"WEB-MISC http directory traversal";
>>> flow:to_server,established; content:"..|5C|"; reference:arachnids,
>>> classtype:attempted-recon; sid:1112; rev:6;)
>>> As far as I can see in the captured packet "..|5C|" or "..\" "5C" or
>>> even "\" is nowhere to be found in the actual packet-dump. There
>>> is a
>>> bunch of ".." but they appear to be legit parts of the http
>>> header. I
>>> would have expected to find either one in the dump, and I'm trying
>>> find out why this rule is getting triggered.
>>> We are logging via Barnyard and here is the header from the log. The
>>> actual packet payload has been stripped out for security reasons.
>>> [**] [1:1112:6] WEB-MISC http directory traversal [**]
>>> [Classification: Attempted Information Leak] [Priority: 2]
>>> [Xref => http://www.whitehats.com/info/IDS298]
>>> Event ID: 1027122 Event Reference: 1027122
>>> 08/14/08-08:08:42.106881 [REMOVED]:30111 -> [REMOVED]:80
>>> TCP TTL:53 TOS:0x0 ID:16356 IpLen:20 DgmLen:863
>>> ***AP*** Seq: 0x11BD2580 Ack: 0xEACE3C2 Win: 0xFFFF TcpLen: 32
>>> TCP Options (3) => NOP NOP TS: 47859088 297178
>>> Any ideas why this is getting triggered?
>>> Jesper S. Jensen
>>> Uni-C - Århus, Danmark
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> Build the coolest Linux based applications with Moblin SDK & win
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in
> the world
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users