[Snort-users] WEB-MISC http directory traversal - False positive?

Joel Esler eslerj at ...11827...
Thu Aug 14 09:49:45 EDT 2008


If you aren't comfortable with emailing the packet to the list, file a  
formal false positive report with the VRT at sourcefire dot com,  
include the full packet dump, and they will take a look.

J

On Aug 14, 2008, at 9:46 AM, Jesper Skou Jensen wrote:

> Yea I realize that, but there is somewhat sensitive material in the  
> dump
> that I didn't want to send to this list.
>
> But the most interesting part of the rule is content:"..|5C|"
>
> Wouldn't it mean that for this rule to fire this specific string would
> have to be in the packet?
>
> As stated below that is not the case here, and that is quite weird  
> imo.
>
> --
>
> Jesper S. Jensen
> Uni-C - Århus, Danmark
>
>
> Joel Esler wrote:
>> It's rather hard to troubleshoot why a rule is firing, if the packet
>> isn't available.
>>
>> Joel
>>
>> On Aug 14, 2008, at 5:24 AM, Jesper Skou Jensen wrote:
>>
>>> Hi guys,
>>>
>>> Our Snort regularly report "WEB-MISC http directory traversal" and I
>>> believe that it's a false positive. I hope some of you guys can  
>>> help me
>>> out in analysing this.
>>>
>>> Here is the rule that's getting triggered:
>>>
>>> rules/web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
>>> $HTTP_PORTS (msg:"WEB-MISC http directory traversal";
>>> flow:to_server,established; content:"..|5C|"; reference:arachnids, 
>>> 298;
>>> classtype:attempted-recon; sid:1112; rev:6;)
>>>
>>> As far as I can see in the captured packet "..|5C|" or "..\" "5C" or
>>> even "\" is nowhere to be found in the actual packet-dump. There  
>>> is a
>>> bunch of ".." but they appear to be legit parts of the http  
>>> header. I
>>> would have expected to find either one in the dump, and I'm trying  
>>> to
>>> find out why this rule is getting triggered.
>>>
>>>
>>> We are logging via Barnyard and here is the header from the log. The
>>> actual packet payload has been stripped out for security reasons.
>>>
>>> [**] [1:1112:6] WEB-MISC http directory traversal [**]
>>> [Classification: Attempted Information Leak] [Priority: 2]
>>> [Xref => http://www.whitehats.com/info/IDS298]
>>> Event ID: 1027122     Event Reference: 1027122
>>> 08/14/08-08:08:42.106881 [REMOVED]:30111 -> [REMOVED]:80
>>> TCP TTL:53 TOS:0x0 ID:16356 IpLen:20 DgmLen:863
>>> ***AP*** Seq: 0x11BD2580  Ack: 0xEACE3C2  Win: 0xFFFF  TcpLen: 32
>>> TCP Options (3) => NOP NOP TS: 47859088 297178
>>>
>>>
>>> Any ideas why this is getting triggered?
>>>
>>>
>>> -- 
>>>
>>> Jesper S. Jensen
>>> Uni-C - Århus, Danmark
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's  
> challenge
> Build the coolest Linux based applications with Moblin SDK & win  
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in  
> the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Joel Esler
  http://blog.joelesler.nethttp://www.dearcupertino.com
[m]



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080814/e828724d/attachment.html>


More information about the Snort-users mailing list