[Snort-sigs] Unknown IIS Worm Sigs

Hoover, James A (EIS, Corp) James.Hoover at ...2589...
Wed Jul 14 13:12:02 EDT 2004


I believe Brian is correct on this.  I've been able to confirm that this
rule triggers when visiting the site the was listed on incidents.org
217.107.218.147.  

-----Original Message-----
From: Brian [mailto:bmc at ...95...]
Sent: Friday, June 25, 2004 10:23 AM
To: Matthew Jonkman
Cc: snort-sigs mailinglist
Subject: Re: [Snort-sigs] Unknown IIS Worm Sigs


On Thu, Jun 24, 2004 at 07:04:50PM -0500, Matthew Jonkman wrote:
> Reports of a potential 0-day IIS exploit are coming in, best documented 
> at isc.sans.org.

This is not an IIS exploit.  Its an exploit that targets IE.

In many configurations, the rules being passed around won't work.
Any javascript can be encoded in any arbitrary manor and these won't
work at all.  

If you are using HttpInspect's flow_depth or Http Flow, then looking
at most pages isn't going to work. 

We don't ship rules that look for vulnerabilities attacked via
javascript for these reasons.

If you want to catch these attacks, use the rules committed 10 days
ago:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
    local resource redirection attempt"; flow:to_client,established;
    content:"Location|3a|"; nocase;
    pcre:"/^Location\x3a\s*URL\s*\x3a/smi"; reference:cve,2004-0549;
    reference:url,www.kb.cert.org/vuls/id/713878;
    classtype:attempted-user; sid:2577; rev:2;)

This rule was originally written by nnposter at ...592...
with only minor mods by me.

It works well and catches all of the potential variations that use
this vulnerability.

Brian


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


This communication, including attachments, is for the exclusive use of 
addressee and may contain proprietary, confidential or privileged 
information. If you are not the intended recipient, any use, copying, 
disclosure, dissemination or distribution is strictly prohibited. If 
you are not the intended recipient, please notify the sender 
immediately by return email and delete this communication and destroy all copies.





More information about the Snort-sigs mailing list