[Snort-sigs] WebDav exploits - individual signatures

Joe Stewart jstewart at ...5...
Tue May 13 06:43:08 EDT 2003


Snort sigs from the list of WebDav exploits I am maintaining at:
http://www.lurhq.com/webdav.html

Note that all of these exploits would already be detected by the 
existing WebDav traffic rules (sids 957 and 969), however, due to 
the high noise ratio of those sigs, more specific signatures may be 
more desirable for some networks.

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT WebDav 
ntdll.dll (rs_iis)"; flow: to_server; content:"|0190 9090 685e 56c3 9054 59ff 
d158 33c9|"; reference:cve,CAN-2003-0109; 
reference:url,www.lurhq.com/webdav.html; classtype:attempted-admin; 
sid:1000010; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT WebDav 
ntdll.dll (kralor probe)"; flow: to_server; content:"|5345 4152 4348 202f 
2048 5454 502f 312e 310d 0a48 6f73 743a|"; depth:24; dsize:<89; 
reference:cve,CAN-2003-0109; reference:url,www.lurhq.com/webdav.html; 
classtype:attempted-admin; sid:1000011; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT WebDav 
ntdll.dll (kralor shellcode)"; flow: to_server; content:"|558b ec33 c953 5657 
8d7d a2b1 25b8 cccc|"; reference:cve,CAN-2003-0109; 
reference:url,www.lurhq.com/webdav.html; classtype:attempted-admin; 
sid:1000012; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT WebDav 
ntdll.dll (webdavx.pl)"; flow: to_server; content:"|4c4f 434b 202f 4141 4141 
4141 4141 4141|"; reference:cve,CAN-2003-0109; 
reference:url,www.lurhq.com/webdav.html; classtype:attempted-admin; 
sid:1000013; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT WebDav 
ntdll.dll (wd.pl)"; flow: to_server; content:"|4c4f 434b 202f 5858 5858 5858 
5858 5858|"; reference:cve,CAN-2003-0109; 
reference:url,www.lurhq.com/webdav.html; classtype:attempted-admin; 
sid:1000014; rev:1;)

-Joe

-- 
Joe Stewart, GCIH 
Senior Intrusion Analyst
LURHQ Corporation
http://www.lurhq.com/





More information about the Snort-sigs mailing list