[Snort-sigs] SID 496

Anton Chuvakin anton at ...1177...
Tue Jan 14 21:48:02 EST 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
#
#

Rule:

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
RESPONSES directory listing"; content:"Directory of"; nocase;
flow:from_server,established; classtype:unknown; sid:496; rev:7;)

--
Sid: 496

-- 
Summary: A post-compromise behavior indicating the use of Windows command shell.

-- 

Impact: attacker might have gained an ability to execute commands remotely

--
Detailed Information:

The signature is aimed at catching the standard Windows commands for
listing directories. The string "Directory of" is typically shown in
front of the directory listing on Windows NT/2000/XP.  Seeing such a
response in the HTTP traffic indicates that somebody have managed to
"convince" the web server to spawn a shell bound to a web port and
have successfully executed at least one command to list the
directory. Note that the source address of this signature is actually
the victim and not the attacker as for the exploit signatures.

--

Attack Scenarios: an attacker gains an access to a Windows web server
via IIS vulnerability and manages to start a cmd.exe shell. He then
proceeds to look for interesting files on the compromised server via
the "dir" command.

-- 

Ease of Attack: this post-attack behavior can accompany different
attacks.

-- 

False Positives: the signature will trigger if the string "Directory
of" appears in the content distributed by the web server, in which
case the signature should be tuned.

--
False Negatives: not known

-- 

Corrective Action: investigate the web server for signs of compromise,
run the integrity checking software, look for other IDS alerts
involving the same IP addresses.

--
Contributors: Anton Chuvakin <http://www.chuvakin.org>

-- 
Additional References:





More information about the Snort-sigs mailing list