Hosting Provided By

[Snort-sigs] no classtype 4 webdavrules in snortrules-stable - Mon Mar 31 01:15:29 2003 GMT

From: Sean Wheeler <s.wheeler(at)netprotect.ch>
Date: Mon Mar 31 2003 - 05:54:30 EST

Hi,

Just a minor issue regarding the 2 IIS webdav sigs, I noticed there is no classtype specified for them.

Below find the as per stable and the changed

As per stable

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0a|Content-type|3a| text/xml|0a|HOST|3a|"; content:"Accept|3a| |2a|/|2a0a|Translate|3a| f|0a|Content-length|3a|5276|0a0a|"; distance:1; reference:cve,CAN-2003-0109; reference:bugtraq,7716; sid:2090; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH / HTTP/1.1|0d0a|Host|3a|"; content:"|0d0a0d0a|"; within:255; reference:cve,CAN-2003-0109; reference:bugtraq,7116; reference:nessus,11412; sid:2091; rev:1;)

With change

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0a|Content-type|3a| text/xml|0a|HOST|3a|"; content:"Accept|3a| |2a|/|2a0a|Translate|3a| f|0a|Content-length|3a|5276|0a0a|"; distance:1; classtype:web-application-attack; reference:cve,CAN-2003-0109; reference:bugtraq,7716; sid:2090; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH / HTTP/1.1|0d0a|Host|3a|"; content:"|0d0a0d0a|"; within:255; classtype:web-application-attack; reference:cve,CAN-2003-0109; reference:bugtraq,7116; reference:nessus,11412; sid:2091; rev:1;)

regards

Do you need help?

Sean

This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Mon Mar 31 06:37:54 2003

This message: [ Message body ]
Next message: Kreimendahl, Chad J: "[Snort-sigs] rules problem relating to offset?"
Previous message: bmc(at)snort.org: "[Snort-sigs] snort-rules CURRENT update @ Sat Mar 29 06:25:06 2003"
Next in thread: Dale Handy: "[Snort-sigs] Typo in reference for sid 2090"
Reply: Dale Handy: "[Snort-sigs] Typo in reference for sid 2090"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:26 EDT