[Snort-sigs] IIS sample code.

Erik Fichtner emf at ...4...
Mon Nov 20 13:31:22 EST 2000

On Mon, Nov 20, 2000 at 01:20:32PM -0500, Erik Fichtner wrote:
> (of course, it's all moot until we get unicode decode support, and maybe a
> way to optionally collapse ../ traversals..)

Doh, nevermind. I just realized how that's supposed to work.. multiple 
content:"" blocks.

Try these instead:

alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-IIS-sample code-/iissamples";flags:PA; content:"/iissamples"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-IIS-sample code-/scripts/samples";flags:PA; content:"scripts"; content:"samples"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-IIS-sample code-/msadc/samples";flags:PA; content:"msadc"; content:"samples"; nocase;)

Those could perhaps use a depth: as well.  hrm.

Erik Fichtner
Security Administrator, ServerVault, Inc.

More information about the Snort-sigs mailing list