Re: Updated rule sid 3192 WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt

[Matt Olney <molney () sourcefire com>]

Also...just as an aside.  Don't run that rule.  I mean unless you
REALLY REALLY need to.  You should be well patched to that, and the
fact that you get so many alerts shows that in your traffic you hit
that content match frequently and thus enter the PCRE.

Matt

On Wed, Feb 24, 2010 at 2:27 PM, Matt Olney <molney () sourcefire com> wrote:
> I jacked this rule up when I commited it into the system.  The analyst
> that did it correctly built the rule and in testing I failed to get
> the PCRE back in.
>
> This will be fixed next build, but in the meantime, here is what it SHOULD be:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
> Windows Media Player directory traversal via Content-Disposition
> attempt"; flow:from_server,established;
> content:"Content-Disposition|3A|"; nocase; content:"filename=";
> distance:0; nocase;
> pcre:"/[^\x3b\x3a\r\n]*(\x25\x2e\x25\x2e\x25\x5c|\x25\x32\x65\x25\x35\x63|\x2e\x2e\x5c)[^\x3b\x3a\r\n]*\x2ewmz/smi";
> metadata:policy security-ips drop; reference:bugtraq,7517;
> reference:cve,2003-0228; reference:nessus,11595;
> reference:url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx;
> classtype:attempted-user; sid:3192; rev:8;)
>
> Matt
>
> On Wed, Feb 24, 2010 at 2:06 PM, Willst Mail <willstmail () gmail com> wrote:
> > Hello,
> > The VRT signatures released 2010-02-23 contain an updated version of
> > SID 3192 "WEB-CLIENT Windows Media Player directory traversal via
> > Content-Disposition attempt."  It looks like the rule became more
> > generic than previous revisions: whereas earlier revisions had a pcre,
> > this one just looks for "Content-Disposition " followed at some point
> > by "filename="  We previously saw almost no alerts generated by this
> > rule, but we have been seeing about 1200 per hour since the updated
> > rule was released.  All of the alerts look to be responses from web
> > servers to our internal clients, with an external sensor reporting the
> > destination IP as our outbound gateway.
> >
> > Is anyone else seeing this sort of behavior?  From the handful of
> > packets I have looked at so far, these appear to be mostly false
> > positives.
> >
> > ------------------------------------------------------------------------------
> > Download Intel&#174; Parallel Studio Eval
> > Try the new software tools for yourself. Speed compiling, find bugs
> > proactively, and fine-tune applications for parallel performance.
> > See why Intel Parallel Studio got high marks during beta.
> > http://p.sf.net/sfu/intel-sw-dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users