[Snort-sigs] Remote IIS Server_Name Spoof attempt

rmkml rmkml at ...324...
Thu Aug 25 03:52:16 EDT 2005


Hi,

Do you have rule for detect this ?

http://ingehenriksen.blogspot.com/2005/08/remote-iis-5x-and-iis-60-server-name.html
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2678

maybe like :
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Remote 
IIS Server Name spoof attempt"; flow:to_server,established; pcre:"/ 
http\:\/\/localhost\/.*\.asp/i"; sid:x;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Remote 
IIS Server Name spoof attempt"; flow:to_server,established; pcre:"/ 
http\:\/\/127\.0\.0\.1\/.*\.asp/i"; sid:y;)

Regards
Rmkml




More information about the Snort-sigs mailing list