[Snort-sigs] WEB-IIS File permission canonicalization

Jensenne Roculan jroculan at ...113...
Tue Sep 18 20:22:04 EDT 2001


Hi there,

Due to the Nimda worm, we're seeing a tonne of these WEB-IIS File
permission canonicalization sigs being set off:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS File
permission canonicalization"; uricontent:"/scripts/..%c0%af../"; flags:
A+; nocase; classtype:attempted-admin; sid:981; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS File
permission canonicalization"; uricontent:"/scripts/..%c1%1c../"; flags:
A+; nocase; classtype:attempted-admin; sid:982; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS File
permission canonicalization"; uricontent:"/scripts/..%c1%9c../"; flags:
A+; nocase; classtype:attempted

I am just curious as to why these rules were classified as WEB-IIS File
permission canonicalization?  Wouldn't an extended UNICODE classification
be much more suitable or am I missing something?  Thanks in advance.

Cheers,

Jensenne Roculan
SecurityFocus - http://www.securityfocus.com
ARIS - http://aris.securityfocus.com
(403) 213-3939 ext. 229






More information about the Snort-sigs mailing list