[Snort-users] HI_CLIENT_WEBROOT_DIR 119:18 rule help

Dave Venman dvenman at ...1935...
Sun Oct 14 11:39:46 EDT 2012


This is a preprocessor rule - the GID (119) gives it away.  GID is
"Generator ID". i.e. which subsystem in Snort (rules engine, preprocessor
etc) generated the event.

Clear text rules have a GID of 1, Shared Object (compiled/obfuscated) are
GID:3.  Other GIDs are documented in the Snort manual and the READMEs in
the source tarball.  The number after the colon is the SID (Signature ID,
or specific rule ID), in this case 18.

This particular rule is the HTTP Inspect preprocessor, and from the
README.http_inspect I get:

  18    Webroot directory traversal

So something is trying to do "../.." past the webroot of the webserver.

On 14 October 2012 11:45, Chuck DiRaimondi <charlesd81 at ...11827...> wrote:

> I'm new to Snort and rules in general so I apologize in advance. I've been
> trying to understand this rule. When would this rule be fired? I don't see
> a content or similar type keyword in the rule that would look for specific
> data within the payload and then fire if it meets the criteria. Thanks!
>
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
Dave Venman, CISSP
Security Engineer Manager, Sourcefire EMEA
Email:   dave dot venman at sourcefire.com <dave.venman at ...1935...>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121014/46b87694/attachment.html>


More information about the Snort-users mailing list