[Snort-sigs] Unknown IIS Worm Sigs
Hoover, James A (EIS, Corp)
James.Hoover at ...2589...
Wed Jul 14 13:12:02 EDT 2004
I believe Brian is correct on this. I've been able to confirm that this
rule triggers when visiting the site the was listed on incidents.org
From: Brian [mailto:bmc at ...95...]
Sent: Friday, June 25, 2004 10:23 AM
To: Matthew Jonkman
Cc: snort-sigs mailinglist
Subject: Re: [Snort-sigs] Unknown IIS Worm Sigs
On Thu, Jun 24, 2004 at 07:04:50PM -0500, Matthew Jonkman wrote:
> Reports of a potential 0-day IIS exploit are coming in, best documented
> at isc.sans.org.
This is not an IIS exploit. Its an exploit that targets IE.
In many configurations, the rules being passed around won't work.
work at all.
If you are using HttpInspect's flow_depth or Http Flow, then looking
at most pages isn't going to work.
We don't ship rules that look for vulnerabilities attacked via
If you want to catch these attacks, use the rules committed 10 days
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
local resource redirection attempt"; flow:to_client,established;
classtype:attempted-user; sid:2577; rev:2;)
This rule was originally written by nnposter at ...592...
with only minor mods by me.
It works well and catches all of the potential variations that use
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If
you are not the intended recipient, please notify the sender
immediately by return email and delete this communication and destroy all copies.
More information about the Snort-sigs