[Snort-sigs] Signature 1567 vs. 1568 (root.asp)

Brian bmc at ...95...
Sun Jan 26 15:57:02 EST 2003


On Mon, Dec 16, 2002 at 03:33:41PM +0100, Melanie Rieback wrote:
> I have a question about snort alert 1567 (WEB-MISC /exchange/root.asp attempt) vs alert 1568 (WEB-MISC /exchange/root.asp access).
> Alert 1567 looks for the following string:  "/exchange/root.asp?acs=anon"
> Alert 1568 looks for the following string:  "/exchange/root.asp"
> 
> I looked around on the web, and the only root.asp exploit that I could find is described by Alert 1567.  (See bottom of email for a description of the exploit.)    Therefore, I was wondering why alert 1568 also exists.
> 
> I am currently monitoring a large network, and alert 1568 is creating a 
> number of false positives for what appears to me to be normal usage.   Is 
> there another exploit of /exchange/root.asp that does not include 
> "?acs=anon", or does this other alert have some sort of greater purpose?

Well, most people don't run exchange, and therefor someone accessing
exchange/root.asp could be from someone scanning with a CGI scanner.  If
you run exchange, I would disable sid:1568 but leave sid:1567.

-brian




More information about the Snort-sigs mailing list