[Snort-sigs] WEB-IIS Translate update...
Paolo.Milani at ...1843...
Thu Apr 1 03:38:07 EST 2004
I also have been seeing false positives for this rule. I have seen reported both in the rule doc and in the bugtraq item that this attack requires a backslash at the end of the url, but this isn't tested in the rule.
perhaps we could add this:
Only problem is we might false negative if url and translate header are neither in same packet nor in same stream-reassembled packet (which I suppose is the reason why http method is not generally tested in http rules, even though it would be useful).
Date: Wed, 31 Mar 2004 15:53:40 -0500
From: Erik Fichtner <emf at ...4...>
To: snort-sigs at lists.sourceforge.net
Reply-To: emf at ...4...
Subject: [Snort-sigs] WEB-IIS Translate update...
-----BEGIN PGP SIGNED MESSAGE-----
Hi all. sid 1042 rev 6 falses an awful lot, and the original attack doesn't happen very
often anymore (if it ever really did). I propose a modification:
(line split for readability)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS view source via translate header"; flow:to_server,established; \
pcre: !"/(PROPFIND|OPTIONS)/i"; \
content: "Translate|3a| F"; nocase; \
content: !"User-Agent|3a| Microsoft-WebDAV-MiniRedir/5.1.2600"; \
reference:arachnids,305; reference:bugtraq,1578; classtype:web-application-activity; sid:1001042; rev:6;)
Principal Engineer, Information Security, ServerVault Corp.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
-----END PGP SIGNATURE-----
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
End of Snort-sigs Digest
This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please contact us by
replying to MailAdmin at ...1844... Thank you
More information about the Snort-sigs