[Snort-sigs] WEB-IIS Translate update...

Milani Paolo Paolo.Milani at ...1843...
Thu Apr 1 03:38:07 EST 2004

I also have been seeing false positives for this rule. I have seen reported both in the rule doc and in the bugtraq item that this attack requires a backslash at the end of the url, but this isn't tested in the rule.
perhaps we could add this:


Only problem is we might false negative if url and translate header are neither in same packet nor in same stream-reassembled packet (which I suppose is the reason why http method is not generally tested in http rules, even though it would be useful).

Paolo Milani

Date: Wed, 31 Mar 2004 15:53:40 -0500
From: Erik Fichtner <emf at ...4...>
To: snort-sigs at lists.sourceforge.net
Reply-To: emf at ...4...
Subject: [Snort-sigs] WEB-IIS Translate update...

Hash: SHA1

Hi all.   sid 1042 rev 6 falses an awful lot, and the original attack doesn't happen very 
often anymore (if it ever really did).  I propose a modification:

(line split for readability)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS view source via translate header"; flow:to_server,established;  \
	pcre: !"/(PROPFIND|OPTIONS)/i"; \
	content: "Translate|3a| F"; nocase; \ 
	content: !"User-Agent|3a| Microsoft-WebDAV-MiniRedir/5.1.2600"; \ 
	reference:arachnids,305; reference:bugtraq,1578; classtype:web-application-activity; sid:1001042;  rev:6;)

- -- 
Erik Fichtner
Principal Engineer, Information Security, ServerVault Corp.
Version: GnuPG v1.0.7 (FreeBSD)



Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

End of Snort-sigs Digest

This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please contact us by
replying to MailAdmin at ...1844... Thank you

More information about the Snort-sigs mailing list