Looking for some enlightenment. Comments and question inline. Information Security wrote Wednesday, November 13, 2002 1:27 PM > > 2002-11-12 13:00:37 210.201.100.253 - x.x.x.17 80 GET > > /scripts/..%5c../..%5c../..%5cwinnt/system32/cmd.exe /c+dir 200 1849 321 > > 31 HTTP/1.1 63.241.137.233 > > Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) - - > It's been my experience that the actual URL probably sent to your server was > /scripts/..%255c../..%255c../..%255cwinnt/system32/cmd.exe?/c+dir. If you > type that into your browser, you'll probably have success. This fits my experience exactly. The attack performed from a browser or script uses %255c.. but Snort always logs it as %5c. > You would see this entry on any proxy device in front of the web server. > IIS and Snort (IMHO) appropriately run a single URL decode on the > request, which pretty much follows URI RFC specs, so that's not really a bug. Are you saying that Snort has performed one level of Unicode translation before it creates its hex-level packet dumps? This seems to fit the output, but it contradicts the expectation that Snort is displaying exactly what was on the wire in hex format. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Nov 14 2002 - 16:47:50 PST