[Snort-sigs] WEB-IIS Translate update...

Erik Fichtner emf at ...4...
Wed Mar 31 12:54:04 EST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi all.   sid 1042 rev 6 falses an awful lot, and the original attack doesn't happen very 
often anymore (if it ever really did).  I propose a modification:

(line split for readability)


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS view source via translate header"; flow:to_server,established;  \
	pcre: !"/(PROPFIND|OPTIONS)/i"; \
	content: "Translate|3a| F"; nocase; \ 
	content: !"User-Agent|3a| Microsoft-WebDAV-MiniRedir/5.1.2600"; \ 
	reference:arachnids,305; reference:bugtraq,1578; classtype:web-application-activity; sid:1001042;  rev:6;)



- -- 
Erik Fichtner
Principal Engineer, Information Security, ServerVault Corp.
703-652-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQFAay/TQ7EzrewLMS0RAp/iAJ9HykKxkx+gwY83HNFgx+nRqwhoHwCguBjm
/8xoMGZbzShoevMFE+8kv5M=
=pIRV
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list