[Snort-sigs] mis-labelled WEB-MISC Microsoft Windows ASP.NET information disclosure attempt

Joel Esler jesler at ...435...
Sun May 27 19:21:40 EDT 2012


Jason thanks. I'll take a look. 

--
Joel Esler

On May 27, 2012, at 7:15 PM, Jason Haar <Jason_Haar at ...3686...> wrote:

> Hi there
> 
> We've had this triggered by bots scanning our Linux/Apache web servers.
> However, when we first saw this, we got a bit freaked out because it
> implied we had unpatched IIS servers (well, that's how I interpreted it)
> 
> I think this rule is mis-named. It doesn't detect ASP-related scans, it
> detects *any* webscanner. So I think it should be renamed and
> reclassified, eg
> 
> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-MISC
> web scanner/bot detected"; flow:to_client,established; file_data;
> content:"HTTP/1.1 404 Not Found"; fast_pattern:only;
> detection_filter:track by_dst, count 100, seconds 30;
> classtype:attempted-recon...........
> 
> -- 
> Cheers
> 
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-sigs mailing list