[Snort-sigs] WEB-IIS Translate update...

From: Erik Fichtner <emf(at)servervault.com>
Date: Wed Mar 31 2004 - 15:53:40 EST

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all. sid 1042 rev 6 falses an awful lot, and the original attack doesn't happen very often anymore (if it ever really did). I propose a modification:

(line split for readability)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS view source via translate header"; flow:to_server,established; \

	pcre: !"/(PROPFIND|OPTIONS)/i"; \
	content: "Translate|3a| F"; nocase; \ 
	content: !"User-Agent|3a| Microsoft-WebDAV-MiniRedir/5.1.2600"; \ 
	reference:arachnids,305; reference:bugtraq,1578; classtype:web-application-activity; sid:1001042;  rev:6;)

• -- Erik Fichtner Principal Engineer, Information Security, ServerVault Corp. 703-652-5900
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQFAay/TQ7EzrewLMS0RAp/iAJ9HykKxkx+gwY83HNFgx+nRqwhoHwCguBjm /8xoMGZbzShoevMFE+8kv5M=
=pIRV
-----END PGP SIGNATURE-----

---

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Wed Mar 31 16:45:41 2004