[Snort-sigs] Unknown IIS Issue

Matthew Jonkman matt at ...2436...
Wed Jul 28 11:33:34 EDT 2004

I am seeing some of the same hits on occasion now, a lot fewer though.

I am certain they were real. I've grabbed the exploit code and run it 
myself and got the same string in the same place in the stream. That's 
good enough for me to be sure.


Frank Knobbe wrote:

> On Mon, 2004-07-19 at 16:29, Matthew Jonkman wrote:
>>Yes, I agree it does. In fact we had 2 rules on bleeding that both 
>>covered it by just seeing the THCOWNZIIS string in the ssl stream. I was 
>>just talking to 2 people today though that are not seieng both 
>>signatures trip at the same time, which I assume should happen.
>>I'm getting 40 or 50 hits on the sig just looking for THCOWNZIIS that 
>>look legitimate. They're in an ssl stream close to the beginning of the 
>>conversation. But no hits on 2515 at the same time.
>>I haven't had time to look into it yet though. Once I do I'll send 
>>packet dumps out to see if anyone has any odeas.
> Have you been able to determine if those 40-50 hits you are seeing are
> just plain false positives, or actual exploit attempts not caught by the
> other rule?
> Regards,
> Frank

More information about the Snort-sigs mailing list