[Snort-users] IIS Unicode attack

Brent Erickson erickson at ...239...
Thu Jan 25 13:48:54 EST 2001


Hello Guy and Charles-Henry,

I am struggling with this problem also. According to Marty and a few other
folks, the pass rule will not work with unicode. They said to do a BPF
filter.

I tried the following command:

snort -d -o -A fast -l log -c snort.conf not src net x.x.0.0/16 dst port 80

When I did this, Snort logged next to nothing including alerts almost like
snort was ignoring all traffic.

So I am still trying to figure it out. For the time being I have disabled
unicode and cgi null although I do not want to do that.

Brent Erickson

----- Original Message -----
From: "Guy Bruneau" <bruneau at ...126...>
To: "Charles-Henri Hallard" <ch.hallard at ...628...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Thursday, January 25, 2001 10:03 AM
Subject: Re: [Snort-users] IIS Unicode attack


> Charles-Henry,
>
> One easy way to detect outside in only activity would be by using the pass
> rule to ignore the inside users:
>
> pass tcp $HOME_NET any -> !$HOME_NET 80 (flags: AP; content:
"..|25|c1|25|9c";
> nocase;)
> pass tcp $HOME_NET any -> !$HOME_NET 80 (flags: AP; content:
"..|25|c0|25|af";
> nocase;)
> pass tcp $HOME_NET any -> !$HOME_NET 80 (flags: AP; content:
"..|25|c1|25|1c";
> nocase;)
>
> Hope this help.
>
> Guy Bruneau
>
> Charles-Henri Hallard wrote:
>
> > Well, does anyone know how to change the detection of IIS Unicode Attack
in
> > spp_http_decode so that it detect only in one way ?
> >
> > today i have some alerts about this but when internal hosts are surfing
on
> > the Internet, i would like to detect this only when Internet User attack
my
> > Web Server on port 80
> >
> > any Idea ?
> >
> > Also, may be a stupid question but is it possible (may be not because
it's
> > not done) to detect this attack creating a rule ?
> >
> > ==============================
> > Charles-Henri Hallard
> > tél : 05 49 89 31 01
> > mél : ch.hallard at ...628...
> > ==============================
> >
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
>





More information about the Snort-users mailing list