Snort mailing list archives
Re: Updated rule sid 3192 WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt
From: Matt Olney <molney () sourcefire com>
Date: Wed, 24 Feb 2010 14:27:59 -0500
Also...just as an aside. Don't run that rule. I mean unless you REALLY REALLY need to. You should be well patched to that, and the fact that you get so many alerts shows that in your traffic you hit that content match frequently and thus enter the PCRE. Matt On Wed, Feb 24, 2010 at 2:27 PM, Matt Olney <molney () sourcefire com> wrote:
I jacked this rule up when I commited it into the system. The analyst that did it correctly built the rule and in testing I failed to get the PCRE back in. This will be fixed next build, but in the meantime, here is what it SHOULD be: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt"; flow:from_server,established; content:"Content-Disposition|3A|"; nocase; content:"filename="; distance:0; nocase; pcre:"/[^\x3b\x3a\r\n]*(\x25\x2e\x25\x2e\x25\x5c|\x25\x32\x65\x25\x35\x63|\x2e\x2e\x5c)[^\x3b\x3a\r\n]*\x2ewmz/smi"; metadata:policy security-ips drop; reference:bugtraq,7517; reference:cve,2003-0228; reference:nessus,11595; reference:url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx; classtype:attempted-user; sid:3192; rev:8;) Matt On Wed, Feb 24, 2010 at 2:06 PM, Willst Mail <willstmail () gmail com> wrote:Hello, The VRT signatures released 2010-02-23 contain an updated version of SID 3192 "WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt." It looks like the rule became more generic than previous revisions: whereas earlier revisions had a pcre, this one just looks for "Content-Disposition " followed at some point by "filename=" We previously saw almost no alerts generated by this rule, but we have been seeing about 1200 per hour since the updated rule was released. All of the alerts look to be responses from web servers to our internal clients, with an external sensor reporting the destination IP as our outbound gateway. Is anyone else seeing this sort of behavior? From the handful of packets I have looked at so far, these appear to be mostly false positives. ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Updated rule sid 3192 WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt Willst Mail (Feb 24)
- Re: Updated rule sid 3192 WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt Matt Olney (Feb 24)
- Re: Updated rule sid 3192 WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt Matt Olney (Feb 24)
- Re: Updated rule sid 3192 WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt Matt Olney (Feb 25)
- Re: Updated rule sid 3192 WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt Matt Olney (Feb 24)