[Snort-users] Updated rule sid 3192 WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt

Matt Olney molney at ...1935...
Wed Feb 24 14:27:01 EST 2010


I jacked this rule up when I commited it into the system.  The analyst
that did it correctly built the rule and in testing I failed to get
the PCRE back in.

This will be fixed next build, but in the meantime, here is what it SHOULD be:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
Windows Media Player directory traversal via Content-Disposition
attempt"; flow:from_server,established;
content:"Content-Disposition|3A|"; nocase; content:"filename=";
distance:0; nocase;
pcre:"/[^\x3b\x3a\r\n]*(\x25\x2e\x25\x2e\x25\x5c|\x25\x32\x65\x25\x35\x63|\x2e\x2e\x5c)[^\x3b\x3a\r\n]*\x2ewmz/smi";
metadata:policy security-ips drop; reference:bugtraq,7517;
reference:cve,2003-0228; reference:nessus,11595;
reference:url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx;
classtype:attempted-user; sid:3192; rev:8;)

Matt

On Wed, Feb 24, 2010 at 2:06 PM, Willst Mail <willstmail at ...11827...> wrote:
> Hello,
> The VRT signatures released 2010-02-23 contain an updated version of
> SID 3192 "WEB-CLIENT Windows Media Player directory traversal via
> Content-Disposition attempt."  It looks like the rule became more
> generic than previous revisions: whereas earlier revisions had a pcre,
> this one just looks for "Content-Disposition " followed at some point
> by "filename="  We previously saw almost no alerts generated by this
> rule, but we have been seeing about 1200 per hour since the updated
> rule was released.  All of the alerts look to be responses from web
> servers to our internal clients, with an external sensor reporting the
> destination IP as our outbound gateway.
>
> Is anyone else seeing this sort of behavior?  From the handful of
> packets I have looked at so far, these appear to be mostly false
> positives.
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list