Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-sigs > 03 > 030192.html (Request Expert snort.org Support)

Re: [Snort-sigs] IIS WebDav sig?

From: Frank Knobbe <fknobbe(at)knobbeits.com>
Date: Mon Mar 17 2003 - 20:19:32 EST

On Mon, 2003-03-17 at 15:07, Lazarakis, Dan wrote:
> Does anyone know what the signature for the latest ISS WebDav
> vulnerability should look for?
> Anyone have a signature for it?

IIS brushed me off with the Disclosure Policy (sorry, not details).

I searched with strings the httpext.dll in system32/inetsrv, and compiled a list of possible HTTP request methods. Attached rules will log these request methods. Feel free to enable/disable any of these you like. Perhaps by logging some data we just might capture that exploit in the wild so that we can write a specific Snort signature for it.

However, if anyone comes across technical details, please share it with this list!

Regards,
Frank

Do you need help?X

PS: Add your own SID's and whatever to the rules... 

log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method LOCK"; flow:to_server,established; content:"LOCK "; offset:0; depth:5; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method OPTIONS"; flow:to_server,established; content:"OPTIONS "; offset:0; depth:8; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method TRACE"; flow:to_server,established; content:"TRACE "; offset:0; depth:6; classtype:web-application-activity;)
#log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method GET"; flow:to_server,established; content:"GET "; offset:0; depth:4; classtype:web-application-activity;)
#log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method POST"; flow:to_server,established; content:"POST "; offset:0; depth:5; classtype:web-application-activity;) #log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method HEAD"; flow:to_server,established; content:"HEAD "; offset:0; depth:5; classtype:web-application-activity;) 
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method BDELETE"; flow:to_server,established; content:"BDELETE "; offset:0; depth:8; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method DELETE"; flow:to_server,established; content:"DELETE "; offset:0; depth:7; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method PUT"; flow:to_server,established; content:"PUT "; offset:0; depth:4; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method BCOPY"; flow:to_server,established; content:"BCOPY "; offset:0; depth:6; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method COPY"; flow:to_server,established; content:"COPY "; offset:0; depth:5; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method BMOVE"; flow:to_server,established; content:"BMOVE "; offset:0; depth:6; classtype:web-application-activity;)

Do you need more help?X

log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method MOVE"; flow:to_server,established; content:"MOVE "; offset:0; depth:5; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method MKCOL"; flow:to_server,established; content:"MKCOL "; offset:0; depth:5; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method BPROPFIND"; flow:to_server,established; content:"BPROPFIND "; offset:0; depth:10; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method PROPFIND"; flow:to_server,established; content:"PROPFIND "; offset:0; depth:9; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method BPROPPATCH"; flow:to_server,established; content:"BPROPPATCH "; offset:0; depth:11; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method PROPPATCH"; flow:to_server,established; content:"PROPPATCH "; offset:0; depth:10; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method UNLOCK"; flow:to_server,established; content:"UNLOCK "; offset:0; depth:7; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method SEARCH"; flow:to_server,established; content:"SEARCH "; offset:0; depth:7; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method POLL"; flow:to_server,established; content:"POLL "; offset:0; depth:5; classtype:web-application-activity;)

Can we help you?X

log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method SUBSCRIBE"; flow:to_server,established; content:"SUBSCRIBE "; offset:0; depth:10; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method UNSUBSCRIBE"; flow:to_server,established; content:"UNSUBSCRIBE "; offset:0; depth:12; classtype:web-application-activity;)

------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en


Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Received on Mon Mar 17 20:52:00 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:25 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library