Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: IIS Unicode attack detected

From: "John Berkers" <berjo () ozemail com au>
Date: Mon, 13 Aug 2001 23:13:31 +1000
This is indeed one of the common causes for false alerts for the ISS Unicode
Attack Detected alert.  I believe (someone correct me if I am wrong) that
you can still use the http_decode preprocessor, with the -unicode
and -cginull. The URL/URI's will still be normalised and directory traversal
signatures and others will be able pick up actual attacks.  You just have to
make sure that your signatures are all up-to-date.

Regards,
John Berkers
berjo () ozemail com au


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Andrew
Daviel
Sent: Monday, 13 August 2001 9:59
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] IIS Unicode attack detected


On Sat, 17 Mar 2001, Andrew R. Baker wrote:



And in 1.7.1 (which is still in beta).  You can hace the http_decode
processor
ignore certain hosts.


Me, too. (an IT cartoon recently suggested a filter for this in outgoing
mail :-)  )

I have also seen many false positives on this and afaik no real alerts.
Playing with code red rules recently I dumped some  data and can say yes,
it looks like a Japanese user using a search engine, e.g.

GET /intl/ja/images/Title_Lef.gif HTTP/1.0
If-Modified-Since: Tue, 21 Nov 20 16:20:07 GMT; length=4841
Referer:
http://www.google.com/search?q=.....s.R.%EC%95s%97R%94%FC&hl=ja&lr=lang_ja
Connection: Keep-Alive

etc.

We don't have just one Asian user, and they don't all go to the same site,
so ignoring a host or two isn't going to help.

Is it not possible to trigger on real exploits and not just someone using
Unicode ?

Andrew Daviel
TRIUMF


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: