[Snort-users] Recent IIS exploit rule

Aaron Gee-Clough aaron.gee-clough at ...683...
Tue Oct 24 09:40:04 EDT 2000

Has anyone else had trouble with the recent IIS Unicode exploit rule?  I can't seem to get snort to trigger with Max Vision's rule for it, nor for a pure Hex content rule.  I know that snort is seeing the packets, since a pure sniff without any rules see the requests I'm making, but it never alerts.  Are there any gotchas in writing hex content rules?



Rules in question:

Max vision's rule:
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS433/web-iis-unicode-traversal-optyx"; flags: AP; content: "|25|c0|25|af"; nocase;)

My version:
alert tcp any any -> $HOME_NET 80 (msg: "IIS Unicode attack"; flags: PA; content: "|25 63 30 25 61 66|";)

Aaron Gee-Clough
Digex Systems Security Operations

More information about the Snort-users mailing list