[Snort-sigs] Web service rules

Joel Maslak jmaslak at ...1560...
Thu Jun 5 07:48:04 EDT 2003

These rules detect some .NET remote procedure call activity.

The first rule detects remote use of a Web Service.  Web Services 
generally shouldn't be called from the Internet at large.

The second rule detects use of the Web Service discovery protocol, a 
tactic that is often used by hackers to conduct research on a site.

The third rule detects attempted access to an IIS server's trace.asd file, 
used by programmers for debugging information.

The forth rule detects attempted access to the web.conf file, which 
commonly contains database connection strings (including passwords).  IIS 
normally blocks access to web.conf, but I like to be sure.

==== //depot/development/snort-rules/local/local.rules#44 - /home/jmasla/perforce/development/snort-rules/local/local.rules ====
> # IIS Web Service Call
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Web Service call"; flow:to_server,established; uricontent:".asmx"; nocase; classtype:web-application-attack; sid:1000001; rev:1;)
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS DISCO discovery attempt"; flow:to_server,established; uricontent:".disco"; nocase; classtype:web-application-attack; sid:1000002; rev:1;)
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ASP.NET Trace attempt"; flow:to_server,established; uricontent:"trace.asd"; nocase; classtype:web-application-attack; sid:1000003; rev:1;)
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS web.config access attempt"; flow:to_server,established; uricontent:"web.config"; nocase; classtype:web-application-attack; sid:1000004; rev:1;)

Joel Maslak
Antelope Enterprises

More information about the Snort-sigs mailing list