Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

RE: Unicode Attack
From: "Palmer, Justin" <justin.palmer () imacorp com>
Date: Thu, 14 Nov 2002 11:31:21 -0600
Nick,

The guy is seeing "ATTACK RESPONSES http dir listing".  The signature for
that alert is as follows:

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
RESPONSES http dir listing"; content: "Volume Serial Number";
flow:from_server,established; classtype:bad-unknown; sid:1292; rev:4;) 

Clearly this isn't simply probes, but snort alerts indicating his web
servers are _responding_ to the probes with a reply.  In this case an
established connection from his web servers sending the string "Volume
Serial Number".  Could be a false alarm obviously if that is a legitimate
phrase in his web content, but I doubt it.



From: Nick FitzGerald [mailto:nick () virus-l demon co uk]
Sent: Wednesday, November 13, 2002 7:35 PM


"Jeremy Junginger" <jjunginger () usbestcrm com> wrote:


It's time again to ask the group for some assistance with 

interpretation

of web logs and snort alerts.  There was some funny 

activity on the web

farm.  I noticed a couple "ATTACK RESPONSES-http dir 

listing" attacks on

some of our web servers, queueing me in to the fact that 

the servers in

question were not patched against a Unicode-type vulnerability.  ...


Huh?

Your Snort logs will include everything "odd" (as defined by the 
Snort ruleset) that goes past your Snort sensors.  Nothing seen in 
such incoming traffic means anything about your machines being 
vulnerable (well, nothing of the sort you report here means your 
machines are vulnerable).  An "attack" as you call it ("probe" might 
be a little less emotive and thus help sort things out) does not mean 
you have anything attackable.  The same requests directed to an 
Apache clearly would not be "an attack", as it is not if directed to 
a patched IIS box.  Snort (or any other IDS) with the same detection 
rules monitoring such traffic though will flag it regardless that the 
target is an IIS or Apache box.





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]