[Snort-users] Recent IIS exploit rule

Martin Roesch roesch at ...421...
Tue Oct 24 18:22:04 EDT 2000


This is kind of a tough problem, programmatically speaking.  Any ideas for
mods to http_decode to work past this one?  If you don't know what the web
server is, it can be hard to work past.  How about a http_unicode preprocessor
that'll convert for unicode and pass the results through the port 80 rules
(slow!)... ?

Speaking of which, I belive that SiliconDefense may have something that could
help us out in the speed department here.  Joey? :)

   -Marty

Aaron Gee-Clough wrote:
> 
> Has anyone else had trouble with the recent IIS Unicode exploit rule?  I can't seem to get snort to trigger with Max Vision's rule for it, nor for a pure Hex content rule.  I know that snort is seeing the packets, since a pure sniff without any rules see the requests I'm making, but it never alerts.  Are there any gotchas in writing hex content rules?
> 
> thanks.
> 
> Aaron
> 
> Rules in question:
> 
> Max vision's rule:
> alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS433/web-iis-unicode-traversal-optyx"; flags: AP; content: "|25|c0|25|af"; nocase;)
> 
> My version:
> alert tcp any any -> $HOME_NET 80 (msg: "IIS Unicode attack"; flags: PA; content: "|25 63 30 25 61 66|";)
> 
> ----------------------------------------------------
> Aaron Gee-Clough
> Digex Systems Security Operations
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list