[Snort-sigs] 1 reference ; 1 rule duplicate

Michael Scheidell scheidell at ...249...
Fri Jan 18 13:33:07 EST 2002


> sid:1042
> 
> WEB-IIS view source via translate header
> 
> reference: bugtraq, 1578
> web-iis.rules:84:
> 
> alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any
>    (msg:"WEB-IIS Unauthorized IP Access Attempt"; flags: A+;
>     content:"403"; content:"Forbidden\:";
>     classtype:web-application-attack; sid:1045; rev:2;)
> 
> web-misc.rules:153:
> alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any
>       (msg:"WEB-MISC 403 Forbidden";
>        flags: A+; content:"HTTP/1.1 403";
>        classtype:attempted-recon; sid:1201; rev:1;)
> 
> Sid 1201 is the generic version of 1045
> 
> Example packet capture:
> 
> xxx.xxx.xxx.xxx:80 -> xxx..xxx.xxx.xxx:63536 TCP
>  TTL:127 TOS:0x0 ID:36018 IpLen:20 DgmLen:576
> ***A**** Seq: 0xC9AC3D0F  Ack: 0x80CFEEA2  Win: 0x442E  TcpLen: 20
> 48 54 54 50 2F 31 2E 31 20 34 30 33 20 41 63 63  HTTP/1.1 403 Acc
> 65 73 73 20 46 6F 72 62 69 64 64 65 6E 0D 0A 53  ess Forbidden..S
> 65 72 76 65 72 3A 20 4D 69 63 72 6F 73 6F 66 74  erver: Microsoft
> 2D 49 49 53 2F 35 2E 30 0D 0A 44 61 74 65 3A 20  -IIS/5.0..Date:
> 
> For speed purposes, we could probably add a depth: 12 to 1201.  I'm
> sure there is a funky webserver out there that won't match but this is
> almost a datamining quality rule anyway and should be trimmed for
> speed.
> -- 
> Chris Green <cmg at ...26...>
> "I'm beginning to think that my router may be confused."
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 

-- 
Michael Scheidell
Secnap Network Security, LLC
(561) 368-9561 scheidell at ...249...
See updated IT Security News at http://www.secnap.net/




More information about the Snort-sigs mailing list