[Snort-users] Recent IIS exploit rule

Max Vision vision at ...4...
Tue Oct 24 14:29:01 EDT 2000

Hi sorry for the slow response, I've been buried in a project

Those rules won't work if you have http_decode running, snort can't see the 
percentage signs ("%")... using the hex escapes don't help one bit, I just 
added them in hopes that a future restructuring of http decoding (perhaps 
even that digs into unicode parsing) will allow for raw/bypass detection 
ala "|25|XX"... maybe a keyword like "donthttpdecodethis;"

If you disable http_decode then it should work fine... (for the widely 
published exploits only - there are so many variations of this that it's 
not a solid detection method...)


At 09:40 AM 10/24/2000 -0400, Aaron Gee-Clough wrote:
>Has anyone else had trouble with the recent IIS Unicode exploit rule?  I 
>can't seem to get snort to trigger with Max Vision's rule for it, nor for 
>a pure Hex content rule.  I know that snort is seeing the packets, since a 
>pure sniff without any rules see the requests I'm making, but it never 
>alerts.  Are there any gotchas in writing hex content rules?
>Rules in question:
>Max vision's rule:
>alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: 
>"IDS433/web-iis-unicode-traversal-optyx"; flags: AP; content: 
>"|25|c0|25|af"; nocase;)
>My version:
>alert tcp any any -> $HOME_NET 80 (msg: "IIS Unicode attack"; flags: PA; 
>content: "|25 63 30 25 61 66|";)
>Aaron Gee-Clough
>Digex Systems Security Operations
>Snort-users mailing list
>Snort-users at lists.sourceforge.net

More information about the Snort-users mailing list