Hosting Provided By

[Snort-devel] snort does not detect good rules

From: <jvarlet(at)ares51.fr>
Date: Mon Apr 26 2004 - 09:48:44 EDT

Hello,

I'm testing snort. So, I have installed a 2000 server without any patches. I use Metasploit with WebDAV Overflow (snort rule : 2091).

But Snort does not detect it. It only says that :

I would like Snort to detect the attack : Exploit perl code :
$request = "SEARCH /" . $url ." HTTP/1.1\r\n";
$request .= "Host: " . $target_host . ":" . $target_port . "\r\n";
$request .= "Content-Type: text/xml\r\n";
$content .= "<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n";
$content .= "<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n";
$request .= "Content-Length: " . length($content) . "\r\n";
$request .= "\r\n$content";

Snort rule detected : 1070 WEB-MISC WebDAV search access

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebDAV search access"; flow:to_server,established; content: "SEARCH "; depth: 8; nocase;reference:arachnids,474; classtype:web-application-activity; sid:1070; rev:6;)

Snort rule that i want to detect: 2091 WEB-IIS WEBDAV exploit attempt

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0a|Content-type|3a| text/xml|0a|HOST|3a|"; content:"Accept|3a| |2a|/|2a0a|Translate|3a| f|0a|Content-length|3a|5276|0a0a|"; distance:1; reference:cve,CAN-2003-0109; reference:bugtraq,7716; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2090; rev:4;)

Do you need help?

How can i do ??

Thanks a lot.

This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

application/octet-stream attachment: Julien_VARLET.vcf

Received on Mon Apr 26 10:12:26 2004

This message: [ Message body ]
Next message: Dennis George: "Re: [Snort-devel] Content across multiple packets Not detected by Snort"
Previous message: Martin Roesch: "Re: [Snort-devel] Content across multiple packets Not detected by Snort"
Next in thread: Paul Tinsley: "Re: [Snort-devel] snort does not detect good rules"
Reply: Paul Tinsley: "Re: [Snort-devel] snort does not detect good rules"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:10 EDT