[Snort-sigs] Signature 1567 vs. 1568 (root.asp)
bmc at ...95...
Sun Jan 26 15:57:02 EST 2003
On Mon, Dec 16, 2002 at 03:33:41PM +0100, Melanie Rieback wrote:
> I have a question about snort alert 1567 (WEB-MISC /exchange/root.asp attempt) vs alert 1568 (WEB-MISC /exchange/root.asp access).
> Alert 1567 looks for the following string: "/exchange/root.asp?acs=anon"
> Alert 1568 looks for the following string: "/exchange/root.asp"
> I looked around on the web, and the only root.asp exploit that I could find is described by Alert 1567. (See bottom of email for a description of the exploit.) Therefore, I was wondering why alert 1568 also exists.
> I am currently monitoring a large network, and alert 1568 is creating a
> number of false positives for what appears to me to be normal usage. Is
> there another exploit of /exchange/root.asp that does not include
> "?acs=anon", or does this other alert have some sort of greater purpose?
Well, most people don't run exchange, and therefor someone accessing
exchange/root.asp could be from someone scanning with a CGI scanner. If
you run exchange, I would disable sid:1568 but leave sid:1567.
More information about the Snort-sigs