Security Incidents mailing list archives

RE: Unicode Attack

From: "Palmer, Justin" <justin.palmer () imacorp com>
Date: Thu, 14 Nov 2002 11:31:21 -0600

Nick,

The guy is seeing "ATTACK RESPONSES http dir listing".  The signature for
that alert is as follows:

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
RESPONSES http dir listing"; content: "Volume Serial Number";
flow:from_server,established; classtype:bad-unknown; sid:1292; rev:4;) 

Clearly this isn't simply probes, but snort alerts indicating his web
servers are _responding_ to the probes with a reply.  In this case an
established connection from his web servers sending the string "Volume
Serial Number".  Could be a false alarm obviously if that is a legitimate
phrase in his web content, but I doubt it.

From: Nick FitzGerald [mailto:nick () virus-l demon co uk]
Sent: Wednesday, November 13, 2002 7:35 PM


"Jeremy Junginger" <jjunginger () usbestcrm com> wrote:

It's time again to ask the group for some assistance with

interpretation

of web logs and snort alerts.  There was some funny

activity on the web

farm.  I noticed a couple "ATTACK RESPONSES-http dir

listing" attacks on

some of our web servers, queueing me in to the fact that

the servers in

question were not patched against a Unicode-type vulnerability.  ...


Huh?

Your Snort logs will include everything "odd" (as defined by the 
Snort ruleset) that goes past your Snort sensors.  Nothing seen in 
such incoming traffic means anything about your machines being 
vulnerable (well, nothing of the sort you report here means your 
machines are vulnerable).  An "attack" as you call it ("probe" might 
be a little less emotive and thus help sort things out) does not mean 
you have anything attackable.  The same requests directed to an 
Apache clearly would not be "an attack", as it is not if directed to 
a patched IIS box.  Snort (or any other IDS) with the same detection 
rules monitoring such traffic though will flag it regardless that the 
target is an IIS or Apache box.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Unicode Attack Jeremy Junginger (Nov 13)
- Re: Unicode Attack Daniel Polombo (Nov 13)
- Re: Unicode Attack Nick FitzGerald (Nov 14)
- <Possible follow-ups>
- RE: Unicode Attack Information Security (Nov 14)
  - RE: Unicode Attack James C Slora Jr (Nov 14)
- RE: Unicode Attack Palmer, Justin (Nov 14)
- RE: Unicode Attack Information Security (Nov 15)