[Snort-sigs] Unknown IIS Worm Sigs

Brian bmc at ...95...
Fri Jun 25 07:23:05 EDT 2004


On Thu, Jun 24, 2004 at 07:04:50PM -0500, Matthew Jonkman wrote:
> Reports of a potential 0-day IIS exploit are coming in, best documented 
> at isc.sans.org.

This is not an IIS exploit.  Its an exploit that targets IE.

In many configurations, the rules being passed around won't work.
Any javascript can be encoded in any arbitrary manor and these won't
work at all.  

If you are using HttpInspect's flow_depth or Http Flow, then looking
at most pages isn't going to work. 

We don't ship rules that look for vulnerabilities attacked via
javascript for these reasons.

If you want to catch these attacks, use the rules committed 10 days
ago:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
    local resource redirection attempt"; flow:to_client,established;
    content:"Location|3a|"; nocase;
    pcre:"/^Location\x3a\s*URL\s*\x3a/smi"; reference:cve,2004-0549;
    reference:url,www.kb.cert.org/vuls/id/713878;
    classtype:attempted-user; sid:2577; rev:2;)

This rule was originally written by nnposter at ...592...
with only minor mods by me.

It works well and catches all of the potential variations that use
this vulnerability.

Brian




More information about the Snort-sigs mailing list