[Snort-sigs] IIS sample code.

Erik Fichtner emf at ...4...
Mon Nov 20 13:20:32 EST 2000

the current [1] rules for spotting IIS sample code access are too lax, imho.


alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-IIS-sample code-/iissamples";flags:PA; content:"/iissamples"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-IIS-sample code-/scripts/samples";flags:PA; content:"/scripts/samples"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-IIS-sample code-/msadc/samples";flags:PA; content:"/msadc/samples"; nocase;)

(of course, it's all moot until we get unicode decode support, and maybe a
way to optionally collapse ../ traversals..)

also, this one seems to be missing:

alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0278 WEB-IIS-.asp source
 code attempt";flags:PA; content:".asp::$DATA"; nocase;)

[1] "current" being defined as 10042k.rules.

Erik Fichtner
Security Administrator, ServerVault, Inc.

More information about the Snort-sigs mailing list