[Snort-sigs] Snort signatures for MS02-018 IIS vulnerabilities.

Sean Hittel seanh at ...113...
Fri Jun 7 04:27:01 EDT 2002


On Thu, 30 May 2002, Chris Green wrote:

> Sean Hittel <seanh at ...113...> writes:
>
> > Greetings,
> >
> > On April 10, 2002, Microsoft released Security Bulletin MS02-018,
> > detailing several severe vulnerabilities in various versions of IIS,
> > Microsoft's Web server. The vulnerabilities include buffer overflows,
> > access violations resulting in a Denial of Service (DoS) condition, and
> > cross-site scripting issues. Several of these vulnerabilities may allow an
> > attacker to execute arbitrary code on a vulnerable server.
> >
>
> Thanks for the rules.
>
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Possible Microsoft IIS FTP STA
> T "*" DoS Attempt"; flags: A+; content:"STAT"; nocase; content:"*"; reference:bu
> gtraq,4482; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Possible Microsoft IIS FTP STA
> T "?" DoS Attempt"; flags: A+; content:"STAT"; nocase; content:"?"; reference:bu
> gtraq,4482; rev:1;)
>
> These should use '?' instead of "?" in their message portions.

Thanks. I was uncertain of the convention. Both ways worked.

> > We have produced Snort signatures for many of these vulnerabilities, and
> > have made them available in the following document, which discusses these
> > signatures and the associated vulnerabilities. This document is available
> > at:
>
> Thanks. May we include these in the current and 1.8.7 rulesets?

Sure.

> shtml.exe is a duplicate; haven't fully checked allt he other ones.

The shtml.exe signature is indeed a duplicate. It was included for
completeness sake. Also, the existing chunked encoding signature has been
modified to remove the space between "Transfer-Encoding:" and "chunked".
Although this space should be required, it is not required in either a
legitimate chunked encoding transfer, or an exploit attempt.

> --
> Chris Green <cmg at ...435...>
> I've had a perfectly wonderful evening. But this wasn't it.
>      -- Groucho Marx
>





More information about the Snort-sigs mailing list