[Snort-sigs] Signature 1567 vs. 1568 (root.asp)

Rich Adamson radamson at ...908...
Mon Jan 27 05:34:02 EST 2003


Brian,

> > I am currently monitoring a large network, and alert 1568 is creating a 
> > number of false positives for what appears to me to be normal usage.   Is 
> > there another exploit of /exchange/root.asp that does not include 
> > "?acs=anon", or does this other alert have some sort of greater purpose?
> 
> Well, most people don't run exchange, and therefor someone accessing
> exchange/root.asp could be from someone scanning with a CGI scanner.  If
> you run exchange, I would disable sid:1568 but leave sid:1567.

Be careful with that assumption as its apparently based only on your
exposure. We've been providing network performance and security assessments
to corporations in 40+ states over the past 10 years, and the majority
of these companies have bought into the Microsoft products (including 
Exchange) in a very large way. In fact, over the last three years we've
run into a fair number that have specific objectives to remove the few
remaining Linux (and other unix-based systems) primarily due to lack of
knowledge / experience their MS-focused support staff has. Go figure.
(That certainly could be reversing again if MS keeps pushing the limits
on license fees.)

It would be "very" interesting to see the results of a survey that would
summarize the production & security-oriented systems in use by those
that frequent this list. Excluding the folks that are running snort on 
their home systems and the educational institutions that are frequently 
constrained by funding and political causes (no slams intended), I think 
you've already seen a fair number of postings over the last year or two 
from those that are only interested in Windows-based products for some
of those very reasons.

More recent proof: I'd bet a fair amount that for every system hit by
the SQL worm in the last two days (which in many cases should probably
not have been exposed to the Internet), there are at least one (and 
probably more like five or ten) Exchange boxes sitting right next to 
those MS SQL servers. One or two exposed, the remainder buried in 
corporate infrastructure across political boundaries.

Or stating the above from a negative perspective, if it were not for
the MS products, the I/T security industry (and snort team formation) 
wouldn't be 50% of what it is today for obvious reasons.

(Note: our tools and lab includes Linux, Windows, Sun, etc. Zero interest
in OS wars from here, and I'm not the poster of the original question.)

Rich





More information about the Snort-sigs mailing list