[Snort-sigs] IIS sample code.

Erik Fichtner emf at ...4...
Mon Nov 20 13:20:32 EST 2000


the current [1] rules for spotting IIS sample code access are too lax, imho.

Instead: 

alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-IIS-sample code-/iissamples";flags:PA; content:"/iissamples"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-IIS-sample code-/scripts/samples";flags:PA; content:"/scripts/samples"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-IIS-sample code-/msadc/samples";flags:PA; content:"/msadc/samples"; nocase;)

(of course, it's all moot until we get unicode decode support, and maybe a
way to optionally collapse ../ traversals..)

also, this one seems to be missing:

alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0278 WEB-IIS-.asp source
 code attempt";flags:PA; content:".asp::$DATA"; nocase;)



[1] "current" being defined as 10042k.rules.

-- 
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-333-5900



More information about the Snort-sigs mailing list