Snort mailing list archives
another content
From: Aditya () directnet com br
Date: Thu, 27 Feb 2003 11:21:14 -0300
Hi freinds Are the content options sequantial to? like the uricontent opton?? or no? Aditya
Do uricontent's get checked in sequentially like content options? In particular sid 1072 has two >uricontent options. According to most of the advisories these two uricontents need to appear in the >order they are defined ie "GET /.nsf/../somefile". However I am receiving alerts for URI >like "GET /../prog.nsf/data/file". Is this expected behaviour?
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Lotus Domino directory >traversal"; uricontent:".nsf/"; uricontent:"../"; nocase; flow:t>o_server,established; >reference:cve,CVE-2001-0009; reference:bugtraq,2173; classtype:web-application-attack; sid:1072; >rev:6;)
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- another content Aditya (Feb 27)