[Snort-users] sadmind rule

Andreas Östling andreaso at ...236...
Wed May 9 16:38:47 EDT 2001


On Wed, 9 May 2001, Andrew Daviel wrote:
> We were just hit by the sadmind/IIS worm
> http://www.cert.org/advisories/CA-2001-11.html
>
> I've been trying to retroactively find what might have been actually
> attacked buried in all the port 80 traffic
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "sadmind"; flags: PA;
> content: "GET /scripts/root.exe"; )


It's also nice to have a generic rule that looks for IIS boxes
responding to the "dir" requests with an actual directory listing.
For example something like:

alert tcp $INTERNAL 80 -> $EXTERNAL any (msg: "Directory listing response - possible vulnerable IIS"; flags: AP; content: "|20 44 69 72 65 63 74 6F 72 79 20 6F 66|"; depth: 13;)


...which may catch something like:

VULN_IIS:80 -> ATTACKER:41742 TCP TTL:127 TOS:0x0 ID:33953
IpLen:20 DgmLen:1500 DF
***AP*** Seq: 0xDF622603  Ack: 0xF95527CF  Win: 0x4411  TcpLen: 20
20 44 69 72 65 63 74 6F 72 79 20 6F 66 20 63 3A   Directory of c:
5C 70 72 6F 67 72 61 6D 20 66 69 6C 65 73 5C 63  \program files\c
6F 6D 6D 6F 6E 20 66 69 6C 65 73 5C 73 79 73 74  ommon files\syst
65 6D 5C 6D 73 61 64 63 0D 0A 0D 0A 32 30 30 30  em\msadc....2000
2D 31 30 2D 30 39 20 20 30 39 3A 32 39 20 20 20  -10-09  09:29
20 20 20 20 3C 44 49 52 3E 20 20 20 20 20 20 20      <DIR>
20 20 20 2E 0D 0A 32 30 30 30 2D 31 30 2D 30 39     ...2000-10-09
...


Regards,
Andreas Östling





More information about the Snort-users mailing list