[Snort-users] IIS Unicode attack

Guy Bruneau bruneau at ...126...
Thu Jan 25 13:03:23 EST 2001


Charles-Henry,

One easy way to detect outside in only activity would be by using the pass
rule to ignore the inside users:

pass tcp $HOME_NET any -> !$HOME_NET 80 (flags: AP; content: "..|25|c1|25|9c";
nocase;)
pass tcp $HOME_NET any -> !$HOME_NET 80 (flags: AP; content: "..|25|c0|25|af";
nocase;)
pass tcp $HOME_NET any -> !$HOME_NET 80 (flags: AP; content: "..|25|c1|25|1c";
nocase;)

Hope this help.

Guy Bruneau

Charles-Henri Hallard wrote:

> Well, does anyone know how to change the detection of IIS Unicode Attack in
> spp_http_decode so that it detect only in one way ?
>
> today i have some alerts about this but when internal hosts are surfing on
> the Internet, i would like to detect this only when Internet User attack my
> Web Server on port 80
>
> any Idea ?
>
> Also, may be a stupid question but is it possible (may be not because it's
> not done) to detect this attack creating a rule ?
>
> ==============================
> Charles-Henri Hallard
> tél : 05 49 89 31 01
> mél : ch.hallard at ...628...
> ==============================
>





More information about the Snort-users mailing list