[Snort-users] Updated rule sid 3192 WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt

Willst Mail willstmail at ...11827...
Wed Feb 24 14:06:01 EST 2010


Hello,
The VRT signatures released 2010-02-23 contain an updated version of
SID 3192 "WEB-CLIENT Windows Media Player directory traversal via
Content-Disposition attempt."  It looks like the rule became more
generic than previous revisions: whereas earlier revisions had a pcre,
this one just looks for "Content-Disposition " followed at some point
by "filename="  We previously saw almost no alerts generated by this
rule, but we have been seeing about 1200 per hour since the updated
rule was released.  All of the alerts look to be responses from web
servers to our internal clients, with an external sensor reporting the
destination IP as our outbound gateway.

Is anyone else seeing this sort of behavior?  From the handful of
packets I have looked at so far, these appear to be mostly false
positives.




More information about the Snort-users mailing list