[Snort-sigs] Unknown IIS Worm Sigs

John Nagro john.nagro at ...2420...
Fri Jun 25 07:31:12 EDT 2004


yes, but from what i found, this particular one uses mms:// links, not
ms-its:// links, which was in the original exploit. Can you verify
that? and to comment on the first part, it is actually spread by
infecting iis webservers and putting this code onto the web pages

-John

On Fri, 25 Jun 2004 10:22:40 -0400, Brian <bmc at ...95...> wrote:
> 
> On Thu, Jun 24, 2004 at 07:04:50PM -0500, Matthew Jonkman wrote:
> > Reports of a potential 0-day IIS exploit are coming in, best documented
> > at isc.sans.org.
> 
> This is not an IIS exploit.  Its an exploit that targets IE.
> 
> In many configurations, the rules being passed around won't work.
> Any javascript can be encoded in any arbitrary manor and these won't
> work at all.
> 
> If you are using HttpInspect's flow_depth or Http Flow, then looking
> at most pages isn't going to work.
> 
> We don't ship rules that look for vulnerabilities attacked via
> javascript for these reasons.
> 
> If you want to catch these attacks, use the rules committed 10 days
> ago:
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
>     local resource redirection attempt"; flow:to_client,established;
>     content:"Location|3a|"; nocase;
>     pcre:"/^Location\x3a\s*URL\s*\x3a/smi"; reference:cve,2004-0549;
>     reference:url,www.kb.cert.org/vuls/id/713878;
>     classtype:attempted-user; sid:2577; rev:2;)
> 
> This rule was originally written by nnposter at ...592...
> with only minor mods by me.
> 
> It works well and catches all of the potential variations that use
> this vulnerability.
> 
> Brian
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list