[Snort-sigs] Unknown IIS Worm Sigs

Matthew Jonkman matt at ...2436...
Fri Jun 25 07:36:11 EDT 2004

Brian wrote:

> On Thu, Jun 24, 2004 at 07:04:50PM -0500, Matthew Jonkman wrote:
>>Reports of a potential 0-day IIS exploit are coming in, best documented 
>>at isc.sans.org.
> This is not an IIS exploit.  Its an exploit that targets IE.

I agree. That was posted early last night. The sourceforge lists are 
slow as dirt. We know a lot more now.

There are a number of new rules on bleedingsnort.com. Many people have 
contributed, I've condensed some of them that were duplicated.

> In many configurations, the rules being passed around won't work.
> Any javascript can be encoded in any arbitrary manor and these won't
> work at all.  

We do ave rules out there that will tell you if you have infected pc's 
onthe inside. I personally have 2577 below disabled. It was giving me 
hundreds of false's an hour. I last tried it on the current rev and 
still had issues. I'll give it another shot though and see if I can 
provide some feedback.

> We don't ship rules that look for vulnerabilities attacked via
> javascript for these reasons.

There's more to it for the everyday admin than finding the attack. We 
also need to find the infected pc's. The sigs on bleeding will do that.


> If you want to catch these attacks, use the rules committed 10 days
> ago:
>     local resource redirection attempt"; flow:to_client,established;
>     content:"Location|3a|"; nocase;
>     pcre:"/^Location\x3a\s*URL\s*\x3a/smi"; reference:cve,2004-0549;
>     reference:url,www.kb.cert.org/vuls/id/713878;
>     classtype:attempted-user; sid:2577; rev:2;)
> This rule was originally written by nnposter at ...592...
> with only minor mods by me.
> It works well and catches all of the potential variations that use
> this vulnerability.
> Brian
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
> digital self defense, top technical experts, no vendor pitches, 
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

Matthew Jonkman, CISSP
Senior Security Engineer
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC

NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.

More information about the Snort-sigs mailing list