Snort mailing list archives
Re: spp_http_decode
From: Blake Frantz <blake () mc net>
Date: Mon, 2 Jul 2001 14:50:14 -0500 (CDT)
I disabled the preprocessor and added my own rules. alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS Unicode Attack";flags:PA; content:"..%c1%1c"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS Unicode Attack";flags:PA; content:"..%c0%9v"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS Unicode Attack";flags:PA; content:"..%c0%af"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS Unicode Attack";flags:PA; content:"..%c0%qf"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS Unicode Attack";flags:PA; content:"..%c1%8s"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS Unicode Attack";flags:PA; content:"..%c1%9c"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS Unicode Attack";flags:PA; content:"..%c1%pc"; nocase;) These look for "..\". alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CGI Poison NULL Attack";flags:PA; content:"%00"; nocase;) I get a lot less false positives with the above rules... I also added a rule that looks for http requests that contain 'cmd.exe'. While on the topic of cmd.exe and such, there is a new tool out that uses vulnerable IIS boxes in DDoS attacks. The tool reads from a list of known vulnerable IIS boxen and issues a HTTP request that is similar to the following: /scripts/..%c0%9v../winnt/system32/cmd.exe?/c+ping+-n+13600+-l+65400+-w+0+target.of.ddos.net Hope this helps. Blake Frantz ================================================================= The Government, like diapers, should be replaced regularly, and often for the same reasons. On Mon, 2 Jul 2001 niko () digitalenigma com wrote:
I am getting many, many spp_http_decode (IIS Unicode attack detected & CGI Null Byte attack detected). I know how to rid myself of these alerts by adding: preprocessor http_decode: 80 8080 -unicode -cginull However, I am relectant to do this because I am not 100% sure what I am doing in this respect. By disabling this feature, will I now miss any "real alerts"? What are my options to minimize the amount of false alerts without compromising security? Again, any info or suggestions are greatly apprteciated. Thanks, Bryan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_http_decode niko (Jul 02)
- Re: spp_http_decode Blake Frantz (Jul 02)
- using snort without an IP Addy Frontgate Lab (Jul 02)
- Re: using snort without an IP Addy Blake Frantz (Jul 02)
- Re: using snort without an IP Addy Frontgate Lab (Jul 02)
- Re: using snort without an IP Addy Blake Frantz (Jul 02)
- Re: using snort without an IP Addy Blake Frantz (Jul 02)
- Re: spp_http_decode Vitaly Osipov (Jul 03)