[Snort-sigs] Unknown IIS Worm Sigs
bmc at ...95...
Fri Jun 25 07:23:05 EDT 2004
On Thu, Jun 24, 2004 at 07:04:50PM -0500, Matthew Jonkman wrote:
> Reports of a potential 0-day IIS exploit are coming in, best documented
> at isc.sans.org.
This is not an IIS exploit. Its an exploit that targets IE.
In many configurations, the rules being passed around won't work.
work at all.
If you are using HttpInspect's flow_depth or Http Flow, then looking
at most pages isn't going to work.
We don't ship rules that look for vulnerabilities attacked via
If you want to catch these attacks, use the rules committed 10 days
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
local resource redirection attempt"; flow:to_client,established;
classtype:attempted-user; sid:2577; rev:2;)
This rule was originally written by nnposter at ...592...
with only minor mods by me.
It works well and catches all of the potential variations that use
More information about the Snort-sigs