[Snort-devel] snort does not detect good rules

jvarlet at ...2497... jvarlet at ...2497...
Mon Apr 26 06:49:23 EDT 2004


I'm testing snort. So, I have installed a 2000 server without any patches.
I use Metasploit with WebDAV Overflow (snort rule : 2091).

But Snort does not detect it. It only says that :

I would like Snort to detect the attack :
Exploit perl code :
$request = "SEARCH /" . $url ." HTTP/1.1\r\n";
$request .= "Host: " . $target_host . ":" . $target_port . "\r\n";
$request .= "Content-Type: text/xml\r\n";
$content .= "<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n";
$content .= "<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n";
$request .= "Content-Length: " . length($content) . "\r\n";
$request .= "\r\n$content";

Snort rule detected : 1070 WEB-MISC WebDAV search access 

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebDAV search access"; flow:to_server,established; content: "SEARCH "; depth: 8; nocase;reference:arachnids,474; classtype:web-application-activity; sid:1070; rev:6;) 

Snort rule that i want to detect: 2091 WEB-IIS WEBDAV exploit attempt 

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0a|Content-type|3a| text/xml|0a|HOST|3a|"; content:"Accept|3a| |2a|/|2a0a|Translate|3a| f|0a|Content-length|3a|5276|0a0a|"; distance:1; reference:cve,CAN-2003-0109; reference:bugtraq,7716; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2090; rev:4;) 

How can i do ??

Thanks a lot.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20040426/64b0a703/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Julien VARLET.vcf
Type: application/octet-stream
Size: 404 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20040426/64b0a703/attachment.obj>

More information about the Snort-devel mailing list