Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Overwhelmed........

From: Rune Kristian Viken <arcade () kvinesdal com>
Date: Sun, 24 Jun 2001 11:24:06 +0200
I just installed Snort on my IIS/Proxy server on Monday. On Tuesday I
logged 255 alerts for the unicode exploit. A check of the log file 
revealed that our server was attacking another server out on the 
internet. I've done the following:

 
I've had that too.  However, the attacks came from a machine I knew were
not compromised, so I did a bit of digging.
 

From spp_http_decode.c :

---
                        if(((temp == 192) || /* c0 */
                            (temp == 193) || /* c1 */
                            (temp == 224) || /* e0 */
                            (temp == 240) || /* f0 */
                            (temp == 248) || /* f8 */
                            (temp == 252)) &&/* fc */
                           check_iis_unicode)
                        {
                            snprintf(logMessage, sizeof(logMessage),
                                     MODNAME ": IIS Unicode attack
detected");
 
                            /*(*AlertFunc)(p, logMessage);*/
                            CallAlertFuncs(p, logMessage, NULL);
                            CallLogFuncs(p, logMessage, NULL);
                        }
---
 
I may be on thin ice here, but it turns out that some countryspecific
characters are encoded that way. :-)  In particular, in my case, it
happened that the norwegian character with the HTML repersentation
&oslash; (an "oe") has 8bit asciivalue of 248.  

So, every time someone submitted a query to a searchengine, submitting
an email via web - or WHATEVER that contained an 'oe' -- snort
triggered.

.. I think. 

I'm not a good C programmer, so it may be some other things that has to
happen before it triggers, but this is what I think it is. ;)

-- 
Rune Kristian Viken
Previous By Date Next
Previous By Thread Next

Current thread: