Snort mailing list archives
Re: IDS553/web-iis_IIS ISAPI Overflow idq
From: Ryan Russell <ryan () securityfocus com>
Date: Wed, 15 Aug 2001 10:55:15 -0600 (MDT)
On Wed, 15 Aug 2001 john.ruff () us abb com wrote:
One of the rules I'm using for Code Red is generating alerts that seem to be false, rather I'm not sure their reliable. Rule from Whitehats.com: alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS553/web-iis_IIS ISAPI Overflow idq"; dsize: >239; flags: A+; uricontent: ".idq?"; classtype: system-or-info-attempt; reference: arachnids,553;)
There is not enough information in what you sent to determine what is going on. Can you grep your web server logs for that day for '.idq?' and send those? That's the only way your going to determine if it is a false alarm, whether the attack worked, etc.. In general, the rule is well-written. It only goes off for requests involving idq, and that exceed the normal request size. Note that the .ida version of this rule has been going off left and right due to Code Red. Ryan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IDS553/web-iis_IIS ISAPI Overflow idq john . ruff (Aug 15)
- Re: IDS553/web-iis_IIS ISAPI Overflow idq Brian Caswell (Aug 15)
- Re: IDS553/web-iis_IIS ISAPI Overflow idq Ryan Russell (Aug 15)
- <Possible follow-ups>
- Re: IDS553/web-iis_IIS ISAPI Overflow idq Dr SuSE (Aug 15)