Security Incidents mailing list archives
RE: Unicode Attack
From: "Palmer, Justin" <justin.palmer () imacorp com>
Date: Thu, 14 Nov 2002 11:31:21 -0600
Nick, The guy is seeing "ATTACK RESPONSES http dir listing". The signature for that alert is as follows: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES http dir listing"; content: "Volume Serial Number"; flow:from_server,established; classtype:bad-unknown; sid:1292; rev:4;) Clearly this isn't simply probes, but snort alerts indicating his web servers are _responding_ to the probes with a reply. In this case an established connection from his web servers sending the string "Volume Serial Number". Could be a false alarm obviously if that is a legitimate phrase in his web content, but I doubt it.
From: Nick FitzGerald [mailto:nick () virus-l demon co uk] Sent: Wednesday, November 13, 2002 7:35 PM "Jeremy Junginger" <jjunginger () usbestcrm com> wrote:It's time again to ask the group for some assistance withinterpretationof web logs and snort alerts. There was some funnyactivity on the webfarm. I noticed a couple "ATTACK RESPONSES-http dirlisting" attacks onsome of our web servers, queueing me in to the fact thatthe servers inquestion were not patched against a Unicode-type vulnerability. ...Huh? Your Snort logs will include everything "odd" (as defined by the Snort ruleset) that goes past your Snort sensors. Nothing seen in such incoming traffic means anything about your machines being vulnerable (well, nothing of the sort you report here means your machines are vulnerable). An "attack" as you call it ("probe" might be a little less emotive and thus help sort things out) does not mean you have anything attackable. The same requests directed to an Apache clearly would not be "an attack", as it is not if directed to a patched IIS box. Snort (or any other IDS) with the same detection rules monitoring such traffic though will flag it regardless that the target is an IIS or Apache box.
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Unicode Attack Jeremy Junginger (Nov 13)
- Re: Unicode Attack Daniel Polombo (Nov 13)
- Re: Unicode Attack Nick FitzGerald (Nov 14)
- <Possible follow-ups>
- RE: Unicode Attack Information Security (Nov 14)
- RE: Unicode Attack James C Slora Jr (Nov 14)
- RE: Unicode Attack Palmer, Justin (Nov 14)
- RE: Unicode Attack Information Security (Nov 15)