Re: IDS553/web-iis_IIS ISAPI Overflow idq

[Brian Caswell <bmc () mitre org>]

john.ruff () us abb com wrote:
> One of the rules I'm using for Code Red is generating alerts that seem to be
> false, rather I'm not sure their reliable.
>
> Rule from Whitehats.com:
> alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS553/web-iis_IIS ISAPI Overflow
> idq";
> dsize: >239; flags: A+; uricontent: ".idq?"; classtype: system-or-info-attempt;
> reference: arachnids,553;)
>
> Here are my log entries.  In all cases the traffic flow is from 'web proxy
> client' --> 'MS Proxy Server'.  What
> are the chances that this is a false alarm.  I've scanned these clients with
> Eeye's scanner (v 2.7) and come
> up with nothing.

Actually, I've been noticing that quite a bit as well.  Its also used by
anyone that uses microsoft's index server.  (Large corporations have
this all over the place to index their word documents)

There is a buffer overflow in the handling of .idq requests in IIS, but
there has yet to be a released exploit for it.

I'm not exactly what the best solution for reducing the false positives
would be, except lower the priority and look at them if you have time.

-- 
Brian Caswell
The MITRE Corporation

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users