[Snort-users] sadmind rule

Chris Green cmg at ...671...
Wed May 9 20:44:07 EDT 2001


Andreas Östling <andreaso at ...236...> writes:
> It's also nice to have a generic rule that looks for IIS boxes
> responding to the "dir" requests with an actual directory listing.
> For example something like:
> 
> alert tcp $INTERNAL 80 -> $EXTERNAL any (msg: "Directory listing response - possible vulnerable IIS"; flags: AP; content: "|20 44 69 72 65 63 74 6F 72 79 20 6F 66|"; depth: 13;)
> 

Only use the | | notation if you have to.  It takes a bit longer to
understand that really is just matching
content: " Directory of".  Good idea for a rule though :>

> 
> ...which may catch something like:
> 
> VULN_IIS:80 -> ATTACKER:41742 TCP TTL:127 TOS:0x0 ID:33953
> IpLen:20 DgmLen:1500 DF
> ***AP*** Seq: 0xDF622603  Ack: 0xF95527CF  Win: 0x4411  TcpLen: 20
> 20 44 69 72 65 63 74 6F 72 79 20 6F 66 20 63 3A   Directory of c:
> 5C 70 72 6F 67 72 61 6D 20 66 69 6C 65 73 5C 63  \program files\c
> 6F 6D 6D 6F 6E 20 66 69 6C 65 73 5C 73 79 73 74  ommon files\syst
> 65 6D 5C 6D 73 61 64 63 0D 0A 0D 0A 32 30 30 30  em\msadc....2000
> 2D 31 30 2D 30 39 20 20 30 39 3A 32 39 20 20 20  -10-09  09:29
> 20 20 20 20 3C 44 49 52 3E 20 20 20 20 20 20 20      <DIR>
> 20 20 20 2E 0D 0A 32 30 30 30 2D 31 30 2D 30 39     ...2000-10-09

-- 
Chris Green <cmg at ...671...>
"Yeah, but you're taking the universe out of context."




More information about the Snort-users mailing list