[Snort-sigs] WEB-IIS Translate update...

Milani Paolo Paolo.Milani at ...1843...
Thu Apr 1 07:05:30 EST 2004


Sorry, got the regexp a bit wrong

should be:

pcre:"!\\\s+HTTP/1\.[01]\s*$!im";

(at least 1 space after url, and escape . char for http/1.x)

ciao
Paolo Milani

-----Original Message-----
From:	Milani Paolo
Sent:	Thu 01/04/2004 13.37
To:	snort-sigs at lists.sourceforge.net
Cc:	
Subject:	RE:  [Snort-sigs] WEB-IIS Translate update...

I also have been seeing false positives for this rule. I have seen reported both in the rule doc and in the bugtraq item that this attack requires a backslash at the end of the url, but this isn't tested in the rule.
perhaps we could add this:

pcre:"!\\\s*HTTP/1.[01]\s*$!im";

Only problem is we might false negative if url and translate header are neither in same packet nor in same stream-reassembled packet (which I suppose is the reason why http method is not generally tested in http rules, even though it would be useful).

ciao,
Paolo Milani


Date: Wed, 31 Mar 2004 15:53:40 -0500
From: Erik Fichtner <emf at ...4...>
To: snort-sigs at lists.sourceforge.net
Reply-To: emf at ...4...
Subject: [Snort-sigs] WEB-IIS Translate update...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi all.   sid 1042 rev 6 falses an awful lot, and the original attack doesn't happen very 
often anymore (if it ever really did).  I propose a modification:

(line split for readability)


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS view source via translate header"; flow:to_server,established;  \
	pcre: !"/(PROPFIND|OPTIONS)/i"; \
	content: "Translate|3a| F"; nocase; \ 
	content: !"User-Agent|3a| Microsoft-WebDAV-MiniRedir/5.1.2600"; \ 
	reference:arachnids,305; reference:bugtraq,1578; classtype:web-application-activity; sid:1001042;  rev:6;)



- -- 
Erik Fichtner
Principal Engineer, Information Security, ServerVault Corp.
703-652-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQFAay/TQ7EzrewLMS0RAp/iAJ9HykKxkx+gwY83HNFgx+nRqwhoHwCguBjm
/8xoMGZbzShoevMFE+8kv5M=
=pIRV
-----END PGP SIGNATURE-----



--__--__--

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


End of Snort-sigs Digest






====================================================================
CONFIDENTIALITY NOTICE
This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please contact us by
replying to MailAdmin at ...1844... Thank you
====================================================================




More information about the Snort-sigs mailing list