[Snort-users] WEB-MISC http directory traversal - False positive?

JJ Cummings cummingsj at ...11827...
Thu Aug 14 09:58:34 EDT 2008


or remove the sensitive material itself from the packet.....

a variety of tools are available for this purpose -> 
http://www.tm.uka.de/pktanon/ is one such tool

J

Joel Esler wrote:
> If you aren't comfortable with emailing the packet to the list, file a 
> formal false positive report with the VRT at sourcefire dot com, 
> include the full packet dump, and they will take a look.
>
> J
>
> On Aug 14, 2008, at 9:46 AM, Jesper Skou Jensen wrote:
>
>> Yea I realize that, but there is somewhat sensitive material in the dump
>> that I didn't want to send to this list.
>>
>> But the most interesting part of the rule is content:"..|5C|"
>>
>> Wouldn't it mean that for this rule to fire this specific string would
>> have to be in the packet?
>>
>> As stated below that is not the case here, and that is quite weird imo.
>>
>> --
>>
>> Jesper S. Jensen
>> Uni-C - Århus, Danmark
>>
>>
>> Joel Esler wrote:
>>> It's rather hard to troubleshoot why a rule is firing, if the packet
>>> isn't available.
>>>
>>> Joel
>>>
>>> On Aug 14, 2008, at 5:24 AM, Jesper Skou Jensen wrote:
>>>
>>>> Hi guys,
>>>>
>>>> Our Snort regularly report "WEB-MISC http directory traversal" and I
>>>> believe that it's a false positive. I hope some of you guys can help me
>>>> out in analysing this.
>>>>
>>>> Here is the rule that's getting triggered:
>>>>
>>>> rules/web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
>>>> $HTTP_PORTS (msg:"WEB-MISC http directory traversal";
>>>> flow:to_server,established; content:"..|5C|"; reference:arachnids,298;
>>>> classtype:attempted-recon; sid:1112; rev:6;)
>>>>
>>>> As far as I can see in the captured packet "..|5C|" or "..\" "5C" or
>>>> even "\" is nowhere to be found in the actual packet-dump. There is a
>>>> bunch of ".." but they appear to be legit parts of the http header. I
>>>> would have expected to find either one in the dump, and I'm trying to
>>>> find out why this rule is getting triggered.
>>>>
>>>>
>>>> We are logging via Barnyard and here is the header from the log. The
>>>> actual packet payload has been stripped out for security reasons.
>>>>
>>>> [**] [1:1112:6] WEB-MISC http directory traversal [**]
>>>> [Classification: Attempted Information Leak] [Priority: 2]
>>>> [Xref => http://www.whitehats.com/info/IDS298]
>>>> Event ID: 1027122     Event Reference: 1027122
>>>> 08/14/08-08:08:42.106881 [REMOVED]:30111 -> [REMOVED]:80
>>>> TCP TTL:53 TOS:0x0 ID:16356 IpLen:20 DgmLen:863
>>>> ***AP*** Seq: 0x11BD2580  Ack: 0xEACE3C2  Win: 0xFFFF  TcpLen: 32
>>>> TCP Options (3) => NOP NOP TS: 47859088 297178
>>>>
>>>>
>>>> Any ideas why this is getting triggered?
>>>>
>>>>
>>>> -- 
>>>>
>>>> Jesper S. Jensen
>>>> Uni-C - Århus, Danmark
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's 
>> challenge
>> Build the coolest Linux based applications with Moblin SDK & win 
>> great prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the 
>> world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/ 
>> <http://moblin-contest.org/redirect.php?banner_id=100&url=/>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> --
> Joel Esler
>http://blog.joelesler.net
>http://www.dearcupertino.com
> [m]
>
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list