Snort mailing list archives
Re: RFC: SHELLCODE and WEDAV alerts
From: Frank Knobbe <frank () knobbe us>
Date: Thu, 18 Mar 2004 10:52:22 -0600
On Thu, 2004-03-18 at 09:56, Michael Shirk wrote:
Then I get one WEBDAV alert with a payload of 1460: WEB-MISC WebDAV searchaccess 3/15/2004 17:30:10 Which contains the following String: SEARCH / Followed by 90 or . characters. I have not seen any viruses of this nature and it is either a terrible false positive or some kind of script. I have seen different sources with the same exact pattern. I am going to right a rule for this but wondering if anyone has seen the things in THEIR LOGS
It's a Nachi variant (B?) that is trying to enter web servers that have the WebDAV component enabled. I have some web servers on monitored networks that just get pummeled with those attacks (about 6000/day) while other web servers do not get hit at all. There was a discussion in SF-Incidents and DShield about this. It comes down to the virus checking for the presence of WebDAV, and if found, it launching the attack. If you can turn WebDAV off on your web server, do so and the volume of alerts should disappear. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- RFC: SHELLCODE and WEDAV alerts Michael Shirk (Mar 18)
- Re: RFC: SHELLCODE and WEDAV alerts Frank Knobbe (Mar 18)
- Re: RFC: SHELLCODE and WEDAV alerts Frank Knobbe (Mar 18)
- Re: RFC: SHELLCODE and WEDAV alerts Frank Knobbe (Mar 18)