[Snort-sigs] Avoidance of 1817.4 (WEB-IIS MS Site Server default login attempt)

Brian bmc at ...95...
Tue Jul 6 07:56:07 EDT 2004


> I am proposing to convert the authentication clause to PCRE:
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg:"WEB-IIS MS Site Server default login attempt"; 
> flow:to_server,established; 
> uricontent:"/SiteServer/Admin/knowledge/persmbr/"; nocase; 
> pcre:"/^Authorization\x3a\s*Basic +(?-i)TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE=/mi"; 
> reference:nessus,11018; classtype:web-application-attack; sid:1817; rev:5;)
> 
> P.S. Note the intentional use of both \s and " " 
>      for precise protocol compliance.

Except \t is accepted.

-b




More information about the Snort-sigs mailing list