Snort mailing list archives
Re: IDS553/web-iis_IIS ISAPI Overflow idq
From: Brian Caswell <bmc () mitre org>
Date: Wed, 15 Aug 2001 09:48:34 -0400
john.ruff () us abb com wrote:
One of the rules I'm using for Code Red is generating alerts that seem to be false, rather I'm not sure their reliable. Rule from Whitehats.com: alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS553/web-iis_IIS ISAPI Overflow idq"; dsize: >239; flags: A+; uricontent: ".idq?"; classtype: system-or-info-attempt; reference: arachnids,553;) Here are my log entries. In all cases the traffic flow is from 'web proxy client' --> 'MS Proxy Server'. What are the chances that this is a false alarm. I've scanned these clients with Eeye's scanner (v 2.7) and come up with nothing.
Actually, I've been noticing that quite a bit as well. Its also used by anyone that uses microsoft's index server. (Large corporations have this all over the place to index their word documents) There is a buffer overflow in the handling of .idq requests in IIS, but there has yet to be a released exploit for it. I'm not exactly what the best solution for reducing the false positives would be, except lower the priority and look at them if you have time. -- Brian Caswell The MITRE Corporation _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IDS553/web-iis_IIS ISAPI Overflow idq john . ruff (Aug 15)
- Re: IDS553/web-iis_IIS ISAPI Overflow idq Brian Caswell (Aug 15)
- Re: IDS553/web-iis_IIS ISAPI Overflow idq Ryan Russell (Aug 15)
- <Possible follow-ups>
- Re: IDS553/web-iis_IIS ISAPI Overflow idq Dr SuSE (Aug 15)