[Snort-sigs] 1 reference ; 1 rule duplicate

Chris Green cmg at ...26...
Fri Jan 18 12:44:04 EST 2002


sid:1042

WEB-IIS view source via translate header

reference: bugtraq, 1578
web-iis.rules:84:

alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any
   (msg:"WEB-IIS Unauthorized IP Access Attempt"; flags: A+;
    content:"403"; content:"Forbidden\:";
    classtype:web-application-attack; sid:1045; rev:2;)

web-misc.rules:153:
alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any
      (msg:"WEB-MISC 403 Forbidden";
       flags: A+; content:"HTTP/1.1 403";
       classtype:attempted-recon; sid:1201; rev:1;)

Sid 1201 is the generic version of 1045

Example packet capture:

xxx.xxx.xxx.xxx:80 -> xxx..xxx.xxx.xxx:63536 TCP
 TTL:127 TOS:0x0 ID:36018 IpLen:20 DgmLen:576
***A**** Seq: 0xC9AC3D0F  Ack: 0x80CFEEA2  Win: 0x442E  TcpLen: 20
48 54 54 50 2F 31 2E 31 20 34 30 33 20 41 63 63  HTTP/1.1 403 Acc
65 73 73 20 46 6F 72 62 69 64 64 65 6E 0D 0A 53  ess Forbidden..S
65 72 76 65 72 3A 20 4D 69 63 72 6F 73 6F 66 74  erver: Microsoft
2D 49 49 53 2F 35 2E 30 0D 0A 44 61 74 65 3A 20  -IIS/5.0..Date:

For speed purposes, we could probably add a depth: 12 to 1201.  I'm
sure there is a funky webserver out there that won't match but this is
almost a datamining quality rule anyway and should be trimmed for
speed.
-- 
Chris Green <cmg at ...26...>
"I'm beginning to think that my router may be confused."




More information about the Snort-sigs mailing list