Re: RES: Snort - http_inspect

[Matt Olney <molney () sourcefire com>]

Yep, I get that, but I'm actually also interested in this:
        
#2-(1-20)

[snort] (http_inspect) WEBROOT DIRECTORY TRAVERSAL

2009-07-16 15:07:04

10.58.xxx.xxx:1149

10.10.xxx.xxx:161

UDP

Matt

On Fri, Jul 17, 2009 at 4:20 AM, Nerijus
Krukauskas<nkrukauskas () gmail com> wrote:
> On 2009-07-17, Matt Olney <molney () sourcefire com> wrote:
> > What kind of awesomeness did you do to get an http_inspect directory
> > traversal alert on UDP 161 traffic?
> >
> > Or am I missing something?
>
> I guess, OP is talking about this:
>
> #0-(1-33)
>
>
> [snort] (http_inspect) IIS UNICODE CODEPOINT ENCODING
>
>
> 2009-07-16 15:07:31
>
>
> 10.248.xxx.xxx:80
>
>
> 10.58.xxx.xxx:2067
>
>
> TCP
>
> > Matt
> >
> > On Fri, Jul 17, 2009 at 1:38 AM, Nerijus
> > Krukauskas<nkrukauskas () gmail com> wrote:
> > > On 2009-07-16, Hugo Leonardo Ferrer Rebello
> > > <Hugo.Rebello () t-systems com br> wrote:
> > > > Could you help to understand gen_id and sig_id from suppress sintaxe ?
> > > >
> > > > I created the rules below, but it's not working.
> > > >
> > > > suppress gen_id 119, sig_id 16, track by_src, ip 10.58.xxx.xxx
> > >
> > > http_inspect is NOT gen_id 1. From the doc/README.http_inspect: "HTTP
> > > Inspect used generator ID 119 and 120."
> > >
> > > RTFM! :) Oh, and
> > > http://www.joelesler.net/finshake/The_Snort_Drinking_Game.html. :)
> > >
> > > --
> > > http://nk99.org/
> > >
> > > ------------------------------------------------------------------------------
> > > Enter the BlackBerry Developer Challenge
> > > This is your chance to win up to $100,000 in prizes! For a limited time,
> > > vendors submitting new applications to BlackBerry App World(TM) will have
> > > the opportunity to enter the BlackBerry Developer Challenge. See full
> > > prize
> > > details at: http://p.sf.net/sfu/Challenge
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> --
> http://nk99.org/
>
> ------------------------------------------------------------------------------
> Enter the BlackBerry Developer Challenge
> This is your chance to win up to $100,000 in prizes! For a limited time,
> vendors submitting new applications to BlackBerry App World(TM) will have
> the opportunity to enter the BlackBerry Developer Challenge. See full prize
> details at: http://p.sf.net/sfu/Challenge
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users