[Snort-users] IIS Unicode attack

Guy Bruneau bruneau at ...126...
Thu Jan 25 14:44:33 EST 2001


Brent & Charles-Henri,

Your BPF filter should be written in the following manner in order to ignore
local traffic to port 80 (this is what I use):

snort ip and not src net x.x.0.0/16 and not dst port 80 -c snort.conf -doA fast
-l log

Hope this help,

Guy

____________________
Guy Bruneau, GCIA

Brent Erickson wrote:

> Hello Guy and Charles-Henry,
>
> I am struggling with this problem also. According to Marty and a few other
> folks, the pass rule will not work with unicode. They said to do a BPF
> filter.
>
> I tried the following command:
>
> snort -d -o -A fast -l log -c snort.conf not src net x.x.0.0/16 dst port 80
>
> When I did this, Snort logged next to nothing including alerts almost like
> snort was ignoring all traffic.
>
> So I am still trying to figure it out. For the time being I have disabled
> unicode and cgi null although I do not want to do that.
>
> Brent Erickson
>
> ----- Original Message -----
> From: "Guy Bruneau" <bruneau at ...126...>
> To: "Charles-Henri Hallard" <ch.hallard at ...628...>
> Cc: <snort-users at lists.sourceforge.net>
> Sent: Thursday, January 25, 2001 10:03 AM
> Subject: Re: [Snort-users] IIS Unicode attack
>
> > Charles-Henry,
> >
> > One easy way to detect outside in only activity would be by using the pass
> > rule to ignore the inside users:
> >
> > pass tcp $HOME_NET any -> !$HOME_NET 80 (flags: AP; content:
> "..|25|c1|25|9c";
> > nocase;)
> > pass tcp $HOME_NET any -> !$HOME_NET 80 (flags: AP; content:
> "..|25|c0|25|af";
> > nocase;)
> > pass tcp $HOME_NET any -> !$HOME_NET 80 (flags: AP; content:
> "..|25|c1|25|1c";
> > nocase;)
> >
> > Hope this help.
> >
> > Guy Bruneau
> >
> > Charles-Henri Hallard wrote:
> >
> > > Well, does anyone know how to change the detection of IIS Unicode Attack
> in
> > > spp_http_decode so that it detect only in one way ?
> > >
> > > today i have some alerts about this but when internal hosts are surfing
> on
> > > the Internet, i would like to detect this only when Internet User attack
> my
> > > Web Server on port 80
> > >
> > > any Idea ?
> > >
> > > Also, may be a stupid question but is it possible (may be not because
> it's
> > > not done) to detect this attack creating a rule ?
> > >
> > > ==============================
> > > Charles-Henri Hallard
> > > tél : 05 49 89 31 01
> > > mél : ch.hallard at ...628...
> > > ==============================
> > >
> >





More information about the Snort-users mailing list