No subject


Thu Nov 23 16:34:03 EST 2017


presuming.

ANONYMOUS FTP LOGIN FROM <site>, guest at ...115...
  ^ the guest at ...115... seems constant
CWD /pub/
MKD 010917223748p
  ^ sig from the readme.exe? for its directory
CWD /public/
CWD /pub/incoming/
CWD /incoming/
CWD /_vti_pvt/
CWD /
MKD 010917223758p
CWD /upload/
FTP session closed

mark
--SNIP---

+----------------------------------------------------+
| Mark Canter (marcus at ...64...)                  |
| http://www.doutlets.com                            |
| PGP Key: http://www.doutlets.com/~marcus/pgp.phtml |
+----------------------------------------------------+

On Tue, 18 Sep 2001, Jensenne Roculan wrote:

> Hi there,
>
> Due to the Nimda worm, we're seeing a tonne of these WEB-IIS File
> permission canonicalization sigs being set off:
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS File
> permission canonicalization"; uricontent:"/scripts/..%c0%af../"; flags:
> A+; nocase; classtype:attempted-admin; sid:981; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS File
> permission canonicalization"; uricontent:"/scripts/..%c1%1c../"; flags:
> A+; nocase; classtype:attempted-admin; sid:982; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS File
> permission canonicalization"; uricontent:"/scripts/..%c1%9c../"; flags:
> A+; nocase; classtype:attempted
>
> I am just curious as to why these rules were classified as WEB-IIS File
> permission canonicalization?  Wouldn't an extended UNICODE classification
> be much more suitable or am I missing something?  Thanks in advance.
>
> Cheers,
>
> Jensenne Roculan
> SecurityFocus - http://www.securityfocus.com
> ARIS - http://aris.securityfocus.com
> (403) 213-3939 ext. 229
>
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>





More information about the Snort-sigs mailing list