[Snort-users] Updated rule sid 3192 WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt
molney at ...1935...
Wed Feb 24 14:27:01 EST 2010
I jacked this rule up when I commited it into the system. The analyst
that did it correctly built the rule and in testing I failed to get
the PCRE back in.
This will be fixed next build, but in the meantime, here is what it SHOULD be:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
Windows Media Player directory traversal via Content-Disposition
content:"Content-Disposition|3A|"; nocase; content:"filename=";
metadata:policy security-ips drop; reference:bugtraq,7517;
classtype:attempted-user; sid:3192; rev:8;)
On Wed, Feb 24, 2010 at 2:06 PM, Willst Mail <willstmail at ...11827...> wrote:
> The VRT signatures released 2010-02-23 contain an updated version of
> SID 3192 "WEB-CLIENT Windows Media Player directory traversal via
> Content-Disposition attempt." It looks like the rule became more
> generic than previous revisions: whereas earlier revisions had a pcre,
> this one just looks for "Content-Disposition " followed at some point
> by "filename=" We previously saw almost no alerts generated by this
> rule, but we have been seeing about 1200 per hour since the updated
> rule was released. All of the alerts look to be responses from web
> servers to our internal clients, with an external sensor reporting the
> destination IP as our outbound gateway.
> Is anyone else seeing this sort of behavior? From the handful of
> packets I have looked at so far, these appear to be mostly false
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users