[Snort-users] HI_CLIENT_WEBROOT_DIR 119:18 rule help

Dave Venman dvenman at ...1935...
Mon Oct 15 02:59:33 EDT 2012


Hi there.

  (cc'ed the Snort users list too).

  Well, the client only knows that is can ask for something like
http://www.server.com/a/b/c - the exact location on disk is something is
doesn't need to know - the server does.

  In the case of a Webroot traversal, what happens is the attacker sends a
request like

    http://www.server.com/a/b/../../../

  and if the webserver is misconfigured, my provide the attacker access to
files which are outside the web document structure on disk.

On 14 October 2012 17:24, Balasubramaniam Natarajan <bala150985 at ...11827...>wrote:

>
>
> On Sun, Oct 14, 2012 at 9:09 PM, Dave Venman <dvenman at ...1935...>wrote:
>
>> This is a preprocessor rule - the GID (119) gives it away.  GID is
>> "Generator ID". i.e. which subsystem in Snort (rules engine, preprocessor
>> etc) generated the event.
>>
>> Clear text rules have a GID of 1, Shared Object (compiled/obfuscated) are
>> GID:3.  Other GIDs are documented in the Snort manual and the READMEs in
>> the source tarball.  The number after the colon is the SID (Signature ID,
>> or specific rule ID), in this case 18.
>>
>> This particular rule is the HTTP Inspect preprocessor, and from the
>> README.http_inspect I get:
>>
>>   18    Webroot directory traversal
>>
>> So something is trying to do "../.." past the webroot of the webserver.
>>
>>
> Hi Dave,
>
> I have a question if you don't mind.
>
> How does snort figure out that some one is going past the webroot, as I
> can change the webroot to what ever I want and that would be specified in
> webserver's conf file which snort will not have access to.
>
> For example the default apache webroot would be /var/www/  If I want to I
> could change it to point at
> /var/www/OneMoreDirectory/virutalserver1/virtualserver1.html and if I host
> another apache virtualhost at this location
> /var/www/virtualserver2/server2.html  won't snort get confused when people
> try to access http://<serverIP> and then http://<serverIP>/../../ ?
>
>
> --
> Regards,
> Balasubramaniam Natarajan
> www.etutorshop.com/moodle/
>
>


-- 
Dave Venman, CISSP
Security Engineer Manager, Sourcefire EMEA
Email:   dave.venman at ...1935...
Mobile: +44 (7917) 168068
DDI:     +44 (1344) 788412
Fax:     +44 (1344) 788401
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121015/f9782ccd/attachment.html>


More information about the Snort-users mailing list