[Snort-sigs] Snort signatures for MS02-018 IIS vulnerabilities.

Chris Green cmg at ...435...
Thu May 30 08:14:11 EDT 2002


Sean Hittel <seanh at ...113...> writes:

> Greetings,
>
> On April 10, 2002, Microsoft released Security Bulletin MS02-018,
> detailing several severe vulnerabilities in various versions of IIS,
> Microsoft's Web server. The vulnerabilities include buffer overflows,
> access violations resulting in a Denial of Service (DoS) condition, and
> cross-site scripting issues. Several of these vulnerabilities may allow an
> attacker to execute arbitrary code on a vulnerable server.
>

Thanks for the rules.


alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Possible Microsoft IIS FTP STA
T "*" DoS Attempt"; flags: A+; content:"STAT"; nocase; content:"*"; reference:bu
gtraq,4482; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Possible Microsoft IIS FTP STA
T "?" DoS Attempt"; flags: A+; content:"STAT"; nocase; content:"?"; reference:bu
gtraq,4482; rev:1;)

These should use '?' instead of "?" in their message portions.

> We have produced Snort signatures for many of these vulnerabilities, and
> have made them available in the following document, which discusses these
> signatures and the associated vulnerabilities. This document is available
> at:

Thanks. May we include these in the current and 1.8.7 rulesets?

shtml.exe is a duplicate; haven't fully checked allt he other ones.
-- 
Chris Green <cmg at ...435...>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx




More information about the Snort-sigs mailing list