[Snort-users] Recent IIS exploit rule

Aaron Gee-Clough aaron.gee-clough at ...683...
Tue Oct 24 14:47:49 EDT 2000


No problem.  Thanks for the info.  

Since I'd like to keep using the http-decode plugin, I think I'm going to end up alerting on URLs containing "winnt\system32\cmd.exe?/c".  Yeah, I know that doesn't cover all the things that can be done with this vulnerability (and that I have to have several rules to cover the possible / & \ variants), but with that and an alert for  winnt\system32\tftp.exe, I think I'll have the blatant script kiddies covered.  Anyone have any better ideas for using the http-decode plugin *and* alerting this vulnerability?

Aaron

At 11:29 AM 10/24/00 -0700, Max Vision wrote:
>Hi sorry for the slow response, I've been buried in a project
>
>Those rules won't work if you have http_decode running, snort can't see the percentage signs ("%")... using the hex escapes don't help one bit, I just added them in hopes that a future restructuring of http decoding (perhaps even that digs into unicode parsing) will allow for raw/bypass detection ala "|25|XX"... maybe a keyword like "donthttpdecodethis;"
>
>If you disable http_decode then it should work fine... (for the widely published exploits only - there are so many variations of this that it's not a solid detection method...)
>
>Max
>
>At 09:40 AM 10/24/2000 -0400, Aaron Gee-Clough wrote:
>>Has anyone else had trouble with the recent IIS Unicode exploit rule?  I can't seem to get snort to trigger with Max Vision's rule for it, nor for a pure Hex content rule.  I know that snort is seeing the packets, since a pure sniff without any rules see the requests I'm making, but it never alerts.  Are there any gotchas in writing hex content rules?
>>
>>thanks.
>>
>>Aaron
>>
>>Rules in question:
>>
>>Max vision's rule:
>>alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS433/web-iis-unicode-traversal-optyx"; flags: AP; content: "|25|c0|25|af"; nocase;)
>>
>>My version:
>>alert tcp any any -> $HOME_NET 80 (msg: "IIS Unicode attack"; flags: PA; content: "|25 63 30 25 61 66|";)
>>
>>----------------------------------------------------
>>Aaron Gee-Clough
>>Digex Systems Security Operations
>>
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>http://lists.sourceforge.net/mailman/listinfo/snort-users

----------------------------------------------------
Aaron Gee-Clough
Digex Systems Security Operations




More information about the Snort-users mailing list