[Snort-users] sid=1042 IIS view source via translate header

Everist, Benjamin S. (NASWI) EveristB at ...8190...
Fri Jun 27 09:03:10 EDT 2003


Has anyone seen anything like this before?  It doesnt look like the
translate:
f vuln [0], except that it contains the translate: f header.  The long
string
of gobbley-gook after the auth: negotiate looks suspicious to me, but what
do I know?  I looked through the IIS 'sploits at bugtraq and didnt see
anything
that matches.  Is this valid traffic?  

000 : 4F 50 54 49 4F 4E 53 20 2F 20 48 54 54 50 2F 31   OPTIONS / HTTP/1
010 : 2E 31 0D 0A 74 72 61 6E 73 6C 61 74 65 3A 20 66   .1..translate: f
020 : 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 69   ..User-Agent: Mi
030 : 63 72 6F 73 6F 66 74 2D 57 65 62 44 41 56 2D 4D   crosoft-WebDAV-M
040 : 69 6E 69 52 65 64 69 72 2F 35 2E 31 2E 32 36 30   iniRedir/5.1.260
050 : 30 0D 0A 48 6F 73 74 3A 20 xx xx xx xx xx xx xx   0..Host: xxxxxxx
060 : xx xx xx xx xx xx xx 0D 0A 41 75 74 68 6F 72 69   xxxxxxx..Authori
070 : 7A 61 74 69 6F 6E 3A 20 4E 65 67 6F 74 69 61 74   zation: Negotiat
080 : 65 20 54 6C 52 4D 54 56 4E 54 55 41 41 44 41 41   e TlRMTVNTUAADAA
090 : 41 41 47 41 41 59 41 47 6F 41 41 41 41 59 41 42   AAGAAYAGoAAAAYAB
0a0 : 67 41 67 67 41 41 41 41 67 41 43 41 42 41 41 41   gAggAAAAgACABAAA
0b0 : 41 41 47 67 41 61 41 45 67 41 41 41 41 49 41 41   AAGgAaAEgAAAAIAA
0c0 : 67 41 59 67 41 41 41 41 41 41 41 41 43 61 41 41   gAYgAAAAAAAACaAA
0d0 : 41 41 42 59 4B 49 6F 46 67 41 56 51 42 4D 41 46   AABYKIoFgAVQBMAF
0e0 : 55 41 51 51 42 6B 41 47 30 41 61 51 42 75 41 47   UAQQBkAG0AaQBuAG
0f0 : 6B 41 63 77 42 30 41 48 49 41 59 51 42 30 41 47   kAcwB0AHIAYQB0AG
100 : 38 41 63 67 42 59 41 46 55 41 54 41 42 56 41 50   8AcgBYAFUATABVAP
110 : 70 59 77 6F 45 2F 62 77 42 37 41 41 41 41 41 41   pYwoE/bwB7AAAAAA
120 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 4E   AAAAAAAAAAAAAAAN
130 : 7A 66 74 72 6F 7A 31 69 4A 6E 69 50 6D 34 33 4F   zftroz1iJniPm43O
140 : 77 79 62 63 75 6B 61 55 53 66 53 46 64 45 43 67   wybcukaUSfSFdECg
150 : 3D 3D 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20   ==..Connection: 
160 : 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 6F 6E 74   Keep-Alive..Cont
170 : 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 30 0D 0A 0D   ent-Length: 0...
180 : 0A    


[0] http://www.securityfocus.com/bid/1578/discussion/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030627/53db7951/attachment.html>


More information about the Snort-users mailing list