[Snort-sigs] Avoidance of 1817.4 (WEB-IIS MS Site Server default login attempt)

nnposter at ...592... nnposter at ...592...
Fri Jul 2 17:06:07 EDT 2004


Rule:  WEB-IIS MS Site Server default login attempt

--
Sid: 1817

--
Summary:

--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:

--
False Negatives:
Current version of the rule incorrectly assumes specific HTTP header
capitalization, specific authentication scheme capitalization, and 
overall spacing. As a result, an attacker can easily get around the
signature.

See http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
See http://www.ietf.org/rfc/rfc2617.txt
--
Corrective Action:

--
Contributors:

-- 
Additional References:


I am proposing to convert the authentication clause to PCRE:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-IIS MS Site Server default login attempt"; 
flow:to_server,established; 
uricontent:"/SiteServer/Admin/knowledge/persmbr/"; nocase; 
pcre:"/^Authorization\x3a\s*Basic +(?-i)TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE=/mi"; 
reference:nessus,11018; classtype:web-application-attack; sid:1817; rev:5;)

P.S. Note the intentional use of both \s and " " 
     for precise protocol compliance.




More information about the Snort-sigs mailing list