[Snort-sigs] new rule for detect IISv5 bypass authentication
rmkml at ...324...
Tue May 22 15:39:13 EDT 2007
please check and maybe add this new rule :
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISv5 bypass authentication with null.htw attempt"; flow:to_server,established; uricontent:"/null.htw?"; nocase; uricontent:"CiWebhitsfile="; nocase; uricontent:"CiRestriction="; nocase; uricontent:"CiHiliteType="; nocase; reference:url,support.microsoft.com/kb/328832; classtype:attempted-admin; sid:91933; rev:1; )
Any suggestions and improvements are welcome,
contact at ...3281...
=> Crusoe Researches have more than 1933 UNIQ 'snort' rules for Commercial Access
(Contact me directly if you are interested)
Azwalaro French new nidps open source project
azwalaro at ...3281...
More information about the Snort-sigs