Hosting Provided By

[Snort-sigs] FP on sid=535

From: Jason Haar <Jason.Haar(at)trimble.co.nz>
Date: Mon Mar 15 2004 - 10:44:47 EST

I've just had a bunch of these occur.

SID=535 reads:

circumvent directory access control by trying to change to the "..." directory

Well I think it can trigger when there are lots of dots in the filename too. (see the "2E 2E 2E 00 00 00 00 C0"). We have just upgraded to 2.1.1 and am getting this triggering on what I assume is normal traffic

C.x{D...D.? A.j.

3d0 : 41 00 A0 39 43 00 04 4F 43 00 73 6F 66 74 77 61   A..9C..OC.softwa
3e0 : 72 65 00 00 00 00 5C 2E 2E 2E 00 00 00 00 C0 7B   re....\........{
3f0 : 44 00 51 A6 43 00 E0 A5 43 00 92 A7 43 00 2A AA   D.Q.C...C...C.*.
400 : 43 00 AC A9 43 00 1C A5 43 00 26 25 64 20 00 00   C...C...C.&%d ..
410 : 00 00 2E 49 4E 49 00 00 00 00 2E 48 4C 50 00 00   ..INI.....HLP..

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.
http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Received on Mon Mar 15 12:37:26 2004

This message: [ Message body ]
Next message: Joe Stewart: "[Snort-sigs] Phatbot signatures"
Previous message: Jason Haar: "[Snort-sigs] Rule naming inconsistancy for C$/D$ SMB access"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:37 EDT