[Snort-sigs] Snort signatures for MS02-018 IIS vulnerabilitie s.

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Thu May 30 11:26:03 EDT 2002


Rewritten to fit within current standards. I believe with flow setup, this
only works in snort-current

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
Chunked Encoding transfer attempt"; flow:to_server,established;
content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; nocase;
reference:bugtraq,4485; classtype:web-application-activity;)

Not sure if these next 3 should be WEB-IIS or FTP (or DoS).. It is IIS, but
it is FTP:
Also, we currently use $FTP_PORTS, which I'd also recommend the snort group
change to... But I left it as 21 so people could easily import. Also... DoS
or web-application-attack on port 80?  More DoS than web-app-attack

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"WEB-IIS FTP STAT DoS
Attempt"; flow: to_server,established; content:"STAT"; nocase; dsize: >245;
reference:bugtraq,4482; classtype:denial-of-service;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"WEB-IIS FTP STAT '*' DoS
Attempt"; flow:to_server,established; content:"STAT"; nocase; content:"*";
reference:bugtraq,4482; classtype:denial-of-service;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"WEB-IIS FTP STAT '?' DoS
Attempt"; flow:to_server,established; content:"STAT"; nocase; content:"?";
reference:bugtraq,4482; classtype:denial-of-service;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
Buffer Overrun in HTTP header handling"; flow:to_server,established;
content: "|3A|"; content:"|0A|"; content:"|00|";
classtype:denial-of-service; reference:bugtraq,4476;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
Overflow-htr access"; flow:to_server,established; uricontent:".htr"; nocase;
classtype:web-application-attack; reference:bugtraq,4474;)




More information about the Snort-sigs mailing list