[Snort-sigs] Unknown IIS Issue

Frank Knobbe frank at ...1978...
Wed Jul 28 11:33:26 EDT 2004

On Mon, 2004-07-19 at 16:29, Matthew Jonkman wrote:
> Yes, I agree it does. In fact we had 2 rules on bleeding that both 
> covered it by just seeing the THCOWNZIIS string in the ssl stream. I was 
> just talking to 2 people today though that are not seieng both 
> signatures trip at the same time, which I assume should happen.
> I'm getting 40 or 50 hits on the sig just looking for THCOWNZIIS that 
> look legitimate. They're in an ssl stream close to the beginning of the 
> conversation. But no hits on 2515 at the same time.
> I haven't had time to look into it yet though. Once I do I'll send 
> packet dumps out to see if anyone has any odeas.

Have you been able to determine if those 40-50 hits you are seeing are
just plain false positives, or actual exploit attempts not caught by the
other rule?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040728/a5b576c3/attachment.sig>

More information about the Snort-sigs mailing list