[Snort-users] Updated rule sid 3192 WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt

Matt Olney molney at ...1935...
Thu Feb 25 11:42:41 EST 2010

I thought you all might like to know that I ended up in substantial
trouble with my VRT colleagues over this, as the rule ended up
blocking our access to both sourceforge and more importantly, YouTube.
 While the language used to inform me that I had failed isn't fit for
this list, know that it combined the best of Korean, Japanese and what
Nigel calls "English".  Further, I shan't describe the punishment that
I am in for, but if I'm not on the list for a bit, I'm sure you'll


On Wed, Feb 24, 2010 at 2:27 PM, Matt Olney <molney at ...1935...> wrote:
> I jacked this rule up when I commited it into the system.  The analyst
> that did it correctly built the rule and in testing I failed to get
> the PCRE back in.
> This will be fixed next build, but in the meantime, here is what it SHOULD be:
> Windows Media Player directory traversal via Content-Disposition
> attempt"; flow:from_server,established;
> content:"Content-Disposition|3A|"; nocase; content:"filename=";
> distance:0; nocase;
> pcre:"/[^\x3b\x3a\r\n]*(\x25\x2e\x25\x2e\x25\x5c|\x25\x32\x65\x25\x35\x63|\x2e\x2e\x5c)[^\x3b\x3a\r\n]*\x2ewmz/smi";
> metadata:policy security-ips drop; reference:bugtraq,7517;
> reference:cve,2003-0228; reference:nessus,11595;
> reference:url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx;
> classtype:attempted-user; sid:3192; rev:8;)
> Matt
> On Wed, Feb 24, 2010 at 2:06 PM, Willst Mail <willstmail at ...11827...> wrote:
>> Hello,
>> The VRT signatures released 2010-02-23 contain an updated version of
>> SID 3192 "WEB-CLIENT Windows Media Player directory traversal via
>> Content-Disposition attempt."  It looks like the rule became more
>> generic than previous revisions: whereas earlier revisions had a pcre,
>> this one just looks for "Content-Disposition " followed at some point
>> by "filename="  We previously saw almost no alerts generated by this
>> rule, but we have been seeing about 1200 per hour since the updated
>> rule was released.  All of the alerts look to be responses from web
>> servers to our internal clients, with an external sensor reporting the
>> destination IP as our outbound gateway.
>> Is anyone else seeing this sort of behavior?  From the handful of
>> packets I have looked at so far, these appear to be mostly false
>> positives.
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list