[Snort-users] Well : IIS Unicode attack

Charles-Henri Hallard ch.hallard at ...628...
Fri Jan 26 06:09:13 EST 2001


Ok well i spend some time on this attack trying to understand how can i see
this attack

According to X-Force this attack can be detected by looking for two periods,
followed by either 0xC0, 0xC1, 0xE0, 0xF0, 0xF8,
or 0xFC

So i looked code in spp_http_decode.c but something i don't understand
in this code we are looking for % followed by either 0xC0, 0xC1, 0xE0, 0xF0,
0xF8,
or 0xFC

So who has right ?

Now according to X-Force, Snort rules should be

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (flags: AP; content: "..|c0|"; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (flags: AP; content: "..|c1|"; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (flags: AP; content: "..|e0|"; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (flags: AP; content: "..|f0|"; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (flags: AP; content: "..|f8|"; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (flags: AP; content: "..|fc|"; )

Is this correct or i'm false everywhere ??

thank's

==============================
Charles-Henri Hallard
tél : 05 49 89 31 01
mél : ch.hallard at ...628...
==============================


-----Message d'origine-----
De : Guy Bruneau [mailto:bruneau at ...126...]
Envoyé : jeudi 25 janvier 2001 19:03
À : Charles-Henri Hallard
Cc : snort-users at lists.sourceforge.net
Objet : Re: [Snort-users] IIS Unicode attack


Charles-Henry,

One easy way to detect outside in only activity would be by using the pass
rule to ignore the inside users:

pass tcp $HOME_NET any -> !$HOME_NET 80 (flags: AP; content:
"..|25|c1|25|9c";
nocase;)
pass tcp $HOME_NET any -> !$HOME_NET 80 (flags: AP; content:
"..|25|c0|25|af";
nocase;)
pass tcp $HOME_NET any -> !$HOME_NET 80 (flags: AP; content:
"..|25|c1|25|1c";
nocase;)

Hope this help.

Guy Bruneau

Charles-Henri Hallard wrote:

> Well, does anyone know how to change the detection of IIS Unicode Attack
in
> spp_http_decode so that it detect only in one way ?
>
> today i have some alerts about this but when internal hosts are surfing on
> the Internet, i would like to detect this only when Internet User attack
my
> Web Server on port 80
>
> any Idea ?
>
> Also, may be a stupid question but is it possible (may be not because it's
> not done) to detect this attack creating a rule ?
>
> ==============================
> Charles-Henri Hallard
> tél : 05 49 89 31 01
> mél : ch.hallard at ...628...
> ==============================
>




More information about the Snort-users mailing list