[Snort-users] snort 1.8.1 somtimes not logging packets on .ida attempt rule

Russell Fulton r.fulton at ...3809...
Sun Oct 14 19:59:02 EDT 2001


Greetings,
	  I am running snort 1.8.1 on a debian linux system.  With the 
demise of Code Red II the noise level on the .ida alerts has dropped 
way down but I am still seeing a trickle of ida alerts.  A few are the 
old original code red (with the NNNN padding) as expected but others 
don't have any packet captures to correspond to the alerts.

I also have an old snort 1.7 running on another box watching the same 
bit of network and this one does not record the .ida attempts that fail 
to produce packet captures on 1.8.1 (yes I do have an ida? rule in the 
1.7 ruleset).

I have verified in at least one instance that the alert was correct by 
examining the logs of the web server which was targetted.

[**] [1:1243:1] WEB-IIS ISAPI .ida attempt [**]
 [Classification: Attempted Administrator Privilege Gain] [Priority: 10]
 10/15-14:11:29.254613 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x0 len:0x5EE
 212.45.6.18:48445 -> 130.216.74.20:80 TCP TTL:240 TOS:0x10 ID:0 
IpLen:20 DgmLen:1504
 ***AP*** Seq: 0xA70ABE0D Ack: 0x73F6BD5A Win: 0x2238 TcpLen: 20

212.45.6.18 - - [15/Oct/2001:14:11:29 +1300] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 336 "-" "-"


Here is the ida rule that I am using  on 1.8.1:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI 
.ida attempt"; uricontent:".ida?"; nocase; dsize:>239; flags:A+; 
reference:arachnids,552; classtype:attempted-admin; 
reference:cve,CAN-2000-0071; sid:1243; rev:1;)

and 1.7:

alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS552/web-iis_IIS 
ISAPI Overflow ida"; flags: A; content: ".ida?";) 

Any ideas why 1.7 isn't logging these and (more importantly ;-) 1.8.1 
isnt logging the packet.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand





More information about the Snort-users mailing list