Rule:

--
Sid: 496

-- 
Summary:
This event is generated by the successful completion of a directory listing operation. This may be indicative of post-compromise behavior indicating the use of a Windows command shell for listing directory contents.

-- 
Impact: 
Serious. An attacker may have the ability to execute commands remotely

--
Detailed Information:
This event is generated when a standard Windows command for listing directories is executed. The string "Directory of" is typically shown in front of the directory listing on Windows NT/2000/XP.  

Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has successfully executed at least one command to list the contents of a directory directory. Note that the source address of this event is actually
the victim and not that of the attacker.

--

Attack Scenarios: 
An attacker gains an access to a Windows web server via IIS vulnerability and manages to start a cmd.exe shell. He then proceeds to look for interesting files on the compromised server via the "dir" command.

-- 

Ease of Attack: 
Simple. This post-attack behavior can accompany different attacks.

-- 

False Positives: 
This rule will generate an event if the string "Directory of" appears in the content distributed by a web server, in which case the rule should be tuned.

--
False Negatives: 
None Known

-- 

Corrective Action: 
Investigate the web server for signs of compromise.

Look for other IDS events involving the same IP addresses.

--
Contributors: 
Original rule writer unknown
Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
Sourcefire Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

-- 
Additional References:

--
