[Snort-users] HI_CLIENT_WEBROOT_DIR 119:18 rule help
dvenman at ...1935...
Mon Oct 15 02:59:33 EDT 2012
(cc'ed the Snort users list too).
Well, the client only knows that is can ask for something like
http://www.server.com/a/b/c - the exact location on disk is something is
doesn't need to know - the server does.
In the case of a Webroot traversal, what happens is the attacker sends a
and if the webserver is misconfigured, my provide the attacker access to
files which are outside the web document structure on disk.
On 14 October 2012 17:24, Balasubramaniam Natarajan <bala150985 at ...11827...>wrote:
> On Sun, Oct 14, 2012 at 9:09 PM, Dave Venman <dvenman at ...1935...>wrote:
>> This is a preprocessor rule - the GID (119) gives it away. GID is
>> "Generator ID". i.e. which subsystem in Snort (rules engine, preprocessor
>> etc) generated the event.
>> Clear text rules have a GID of 1, Shared Object (compiled/obfuscated) are
>> GID:3. Other GIDs are documented in the Snort manual and the READMEs in
>> the source tarball. The number after the colon is the SID (Signature ID,
>> or specific rule ID), in this case 18.
>> This particular rule is the HTTP Inspect preprocessor, and from the
>> README.http_inspect I get:
>> 18 Webroot directory traversal
>> So something is trying to do "../.." past the webroot of the webserver.
> Hi Dave,
> I have a question if you don't mind.
> How does snort figure out that some one is going past the webroot, as I
> can change the webroot to what ever I want and that would be specified in
> webserver's conf file which snort will not have access to.
> For example the default apache webroot would be /var/www/ If I want to I
> could change it to point at
> /var/www/OneMoreDirectory/virutalserver1/virtualserver1.html and if I host
> another apache virtualhost at this location
> /var/www/virtualserver2/server2.html won't snort get confused when people
> try to access http://<serverIP> and then http://<serverIP>/../../ ?
> Balasubramaniam Natarajan
Dave Venman, CISSP
Security Engineer Manager, Sourcefire EMEA
Email: dave.venman at ...1935...
Mobile: +44 (7917) 168068
DDI: +44 (1344) 788412
Fax: +44 (1344) 788401
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users