[Snort-sigs] SID 1016

Dan Hanson dhanson at ...113...
Thu Aug 29 14:52:04 EDT 2002


snortrulescurrent-020829/web-iis.rules:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-IIS global.asa access"; flow:to_server,established;
content:"/global.asa"; nocase; reference:nessus,10491;
reference:cve,CVE-2000-0778; classtype:web-application-activity;
sid:1016; rev:7;)

This rule appears to not be related to the the CVE item that is listed.
The item covered by CVE-2000-0778 and BID 1578 is the source disclosure
due to a trailing / after a filename that should be  parsed by the IIS
scripting engine.

The references should either be removed to reflect that this is simply
activity targeting global.asa (no trailing / in the content) or the rule
should be updated to search for .asp .asa .htr (etc) files followed by a
slash.

Thoughts
D

--
Dan Hanson
TMS Threat Analyst





More information about the Snort-sigs mailing list