No subject


Thu Nov 23 16:34:03 EST 2017


presuming.

ANONYMOUS FTP LOGIN FROM <site>, guest at ...115...
  ^ the guest at ...115... seems constant
CWD /pub/
MKD 010917223748p
  ^ sig from the readme.exe? for its directory
CWD /public/
CWD /pub/incoming/
CWD /incoming/
CWD /_vti_pvt/
CWD /
MKD 010917223758p
CWD /upload/
FTP session closed

mark
--SNIP---

+----------------------------------------------------+
| Mark Canter (marcus at ...64...)                  |
| http://www.doutlets.com                            |
| PGP Key: http://www.doutlets.com/~marcus/pgp.phtml |
+----------------------------------------------------+

On Tue, 18 Sep 2001, Jensenne Roculan wrote:

> Hi there,
>
> Due to the Nimda worm, we're seeing a tonne of these WEB-IIS File
> permission canonicalization sigs being set off:
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS File
> permission canonicalization"; uricontent:"/scripts/..%c0%af../"; flags:
> A+; nocase; classtype:attempted-admin; sid:981; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS File
> permission canonicalization"; uricontent:"/scripts/..%c1%1c../"; flags:
> A+; nocase; classtype:attempted-admin; sid:982; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS File
> permission canonicalization"; uricontent:"/scripts/..%c1%9c../"; flags:
> A+; nocase; classtype:attempted
>
> I am just curious as to why these rules were classified as WEB-IIS File
> permission canonicalization?  Wouldn't an extended UNICODE classification
> be much more suitable or am I missing something?  Thanks in advance.
>
> Cheers,
>
> Jensenne Roculan
> SecurityFocus - http://www.securityfocus.com
> ARIS - http://aris.securityfocus.com
> (403) 213-3939 ext. 229
>
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



--__--__--

Message: 4
From: "Marc Eggenberger" <me at ...116...>
To: <snort-sigs at lists.sourceforge.net>
Date: Wed, 19 Sep 2001 14:02:51 +0200
Subject: [Snort-sigs] How and why are older entries dropped

Hi there.

Hope my head doesn't get chopped off ;-)

I just downloaded the newest sigs off the cvs tree and I made a diff between
the ones I am running now ... I found that some entries are not existing in
the new one anymore. For example in the web-iis.rules v1.17 there was an
entry codebrowser access which checked the uri for content
/selector/showcode.asp ... this isnt existing in the web-iis.rules 1.23
anymore. Why is this? In my understanding you should leave older exploits ..
or was it wrong? if so is there any history files discribing which entries
have been dropped and why?

--
mfg
Marc



--__--__--

Message: 5
Date: Wed, 19 Sep 2001 08:38:47 -0400
From: Brian <bmc at ...95...>
To: Marc Eggenberger <me at ...116...>
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] How and why are older entries dropped

According to Marc Eggenberger:
> I just downloaded the newest sigs off the cvs tree and I made a diff
between
> the ones I am running now ... I found that some entries are not existing
in
> the new one anymore. For example in the web-iis.rules v1.17 there was an
> entry codebrowser access which checked the uri for content
> /selector/showcode.asp ... this isnt existing in the web-iis.rules 1.23
> anymore. Why is this? In my understanding you should leave older exploits
..
> or was it wrong? if so is there any history files discribing which entries
> have been dropped and why?

sid:1037

grep showcode.asp *.rules

It still exists in web-iis.rules

-brian



--__--__--

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


End of Snort-sigs Digest




More information about the Snort-sigs mailing list