[Snort-users] snort 1.8.1 somtimes not logging packets on .ida attempt rule
r.fulton at ...3809...
Sun Oct 14 19:59:02 EDT 2001
I am running snort 1.8.1 on a debian linux system. With the
demise of Code Red II the noise level on the .ida alerts has dropped
way down but I am still seeing a trickle of ida alerts. A few are the
old original code red (with the NNNN padding) as expected but others
don't have any packet captures to correspond to the alerts.
I also have an old snort 1.7 running on another box watching the same
bit of network and this one does not record the .ida attempts that fail
to produce packet captures on 1.8.1 (yes I do have an ida? rule in the
I have verified in at least one instance that the alert was correct by
examining the logs of the web server which was targetted.
[**] [1:1243:1] WEB-IIS ISAPI .ida attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 10]
10/15-14:11:29.254613 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x0 len:0x5EE
220.127.116.11:48445 -> 18.104.22.168:80 TCP TTL:240 TOS:0x10 ID:0
***AP*** Seq: 0xA70ABE0D Ack: 0x73F6BD5A Win: 0x2238 TcpLen: 20
22.214.171.124 - - [15/Oct/2001:14:11:29 +1300] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 336 "-" "-"
Here is the ida rule that I am using on 1.8.1:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI
.ida attempt"; uricontent:".ida?"; nocase; dsize:>239; flags:A+;
reference:cve,CAN-2000-0071; sid:1243; rev:1;)
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS552/web-iis_IIS
ISAPI Overflow ida"; flags: A; content: ".ida?";)
Any ideas why 1.7 isn't logging these and (more importantly ;-) 1.8.1
isnt logging the packet.
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
More information about the Snort-users