[Snort-sigs] new rule for detect IISv5 bypass authentication

rmkml rmkml at ...324...
Tue May 22 15:39:13 EDT 2007


Hi,

please check and maybe add this new rule :

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISv5 bypass authentication with null.htw attempt"; flow:to_server,established; uricontent:"/null.htw?"; nocase; uricontent:"CiWebhitsfile="; nocase; uricontent:"CiRestriction="; nocase; uricontent:"CiHiliteType="; nocase; reference:url,support.microsoft.com/kb/328832; classtype:attempted-admin; sid:91933; rev:1; )

Any suggestions and improvements are welcome,

Credits:
Crusoe Researches
http://www.Crusoe-Researches.com
contact at ...3281...
=> Crusoe Researches have more than 1933 UNIQ 'snort' rules for Commercial Access
     (Contact me directly if you are interested)

Azwalaro French new nidps open source project
http://www.Crusoe-Researches.com/azwalaro/
azwalaro at ...3281...

Regards
Rmkml




More information about the Snort-sigs mailing list