Security Incidents mailing list archives
Re: Overwhelmed........
From: Rune Kristian Viken <arcade () kvinesdal com>
Date: Sun, 24 Jun 2001 11:24:06 +0200
I just installed Snort on my IIS/Proxy server on Monday. On Tuesday I logged 255 alerts for the unicode exploit. A check of the log file revealed that our server was attacking another server out on the internet. I've done the following:
I've had that too. However, the attacks came from a machine I knew were not compromised, so I did a bit of digging.
From spp_http_decode.c :
--- if(((temp == 192) || /* c0 */ (temp == 193) || /* c1 */ (temp == 224) || /* e0 */ (temp == 240) || /* f0 */ (temp == 248) || /* f8 */ (temp == 252)) &&/* fc */ check_iis_unicode) { snprintf(logMessage, sizeof(logMessage), MODNAME ": IIS Unicode attack detected"); /*(*AlertFunc)(p, logMessage);*/ CallAlertFuncs(p, logMessage, NULL); CallLogFuncs(p, logMessage, NULL); } --- I may be on thin ice here, but it turns out that some countryspecific characters are encoded that way. :-) In particular, in my case, it happened that the norwegian character with the HTML repersentation ø (an "oe") has 8bit asciivalue of 248. So, every time someone submitted a query to a searchengine, submitting an email via web - or WHATEVER that contained an 'oe' -- snort triggered. .. I think. I'm not a good C programmer, so it may be some other things that has to happen before it triggers, but this is what I think it is. ;) -- Rune Kristian Viken
Current thread:
- Overwhelmed........ Mark Andrich (Jun 21)
- Re: Overwhelmed........ Michael R. Jinks (Jun 22)
- RE: Overwhelmed........ John R. Morris (Jun 22)
- Re: Overwhelmed........ Rune Kristian Viken (Jun 24)
- <Possible follow-ups>
- RE: Overwhelmed........ Oliver Eckel (Jun 24)