[Snort-users] IIS Unicode attack
bruneau at ...126...
Thu Jan 25 13:03:23 EST 2001
One easy way to detect outside in only activity would be by using the pass
rule to ignore the inside users:
pass tcp $HOME_NET any -> !$HOME_NET 80 (flags: AP; content: "..|25|c1|25|9c";
pass tcp $HOME_NET any -> !$HOME_NET 80 (flags: AP; content: "..|25|c0|25|af";
pass tcp $HOME_NET any -> !$HOME_NET 80 (flags: AP; content: "..|25|c1|25|1c";
Hope this help.
Charles-Henri Hallard wrote:
> Well, does anyone know how to change the detection of IIS Unicode Attack in
> spp_http_decode so that it detect only in one way ?
> today i have some alerts about this but when internal hosts are surfing on
> the Internet, i would like to detect this only when Internet User attack my
> Web Server on port 80
> any Idea ?
> Also, may be a stupid question but is it possible (may be not because it's
> not done) to detect this attack creating a rule ?
> Charles-Henri Hallard
> tél : 05 49 89 31 01
> mél : ch.hallard at ...628...
More information about the Snort-users