[Snort-sigs] mis-labelled WEB-MISC Microsoft Windows ASP.NET information disclosure attempt

Jason Haar Jason_Haar at ...3686...
Sun May 27 19:15:51 EDT 2012


Hi there

We've had this triggered by bots scanning our Linux/Apache web servers.
However, when we first saw this, we got a bit freaked out because it
implied we had unpatched IIS servers (well, that's how I interpreted it)

I think this rule is mis-named. It doesn't detect ASP-related scans, it
detects *any* webscanner. So I think it should be renamed and
reclassified, eg

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-MISC
web scanner/bot detected"; flow:to_client,established; file_data;
content:"HTTP/1.1 404 Not Found"; fast_pattern:only;
detection_filter:track by_dst, count 100, seconds 30;
classtype:attempted-recon...........

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-sigs mailing list