[Snort-sigs] Unknown IIS Worm Sigs

nnposter at ...592... nnposter at ...592...
Sat Jun 26 09:56:01 EDT 2004


SID 2577 is protocol neutral, i.e. it does not matter what handler 
the attacker uses  (ms-its or mms); the focus of the rule is on 
the attack vector, not on any attack specifics.

Cheers,
nnposter


From: John Nagro <john.nagro at ...2420...>
> yes, but from what i found, this particular one uses mms:// links, not
> ms-its:// links, which was in the original exploit. Can you verify
> that?
> 
> -John
> 
> On Fri, 25 Jun 2004 10:22:40 -0400, Brian <bmc at ...95...> wrote:
> > 
> > On Thu, Jun 24, 2004 at 07:04:50PM -0500, Matthew Jonkman wrote:
> > > Reports of a potential 0-day IIS exploit are coming in, best documented
> > > at isc.sans.org.
> > 
> > This is not an IIS exploit.  Its an exploit that targets IE.
> > 
> > In many configurations, the rules being passed around won't work.
> > Any javascript can be encoded in any arbitrary manor and these won't
> > work at all.
> > 
> > If you are using HttpInspect's flow_depth or Http Flow, then looking
> > at most pages isn't going to work.
> > 
> > We don't ship rules that look for vulnerabilities attacked via
> > javascript for these reasons.
> > 
> > If you want to catch these attacks, use the rules committed 10 days
> > ago:
> > 
> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
> >     local resource redirection attempt"; flow:to_client,established;
> >     content:"Location|3a|"; nocase;
> >     pcre:"/^Location\x3a\s*URL\s*\x3a/smi"; reference:cve,2004-0549;
> >     reference:url,www.kb.cert.org/vuls/id/713878;
> >     classtype:attempted-user; sid:2577; rev:2;)
> > 
> > This rule was originally written by nnposter at ...592...
> > with only minor mods by me.
> > 
> > It works well and catches all of the potential variations that use
> > this vulnerability.
> > 
> > Brian




More information about the Snort-sigs mailing list