Snort mailing list archives

Re: IDS553/web-iis_IIS ISAPI Overflow idq

From: Ryan Russell <ryan () securityfocus com>
Date: Wed, 15 Aug 2001 10:55:15 -0600 (MDT)

On Wed, 15 Aug 2001 john.ruff () us abb com wrote:



One of the rules I'm using for Code Red is generating alerts that seem to be
false, rather I'm not sure their reliable.

Rule from Whitehats.com:
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS553/web-iis_IIS ISAPI Overflow
idq";
dsize: >239; flags: A+; uricontent: ".idq?"; classtype: system-or-info-attempt;
reference: arachnids,553;)


There is not enough information in what you sent to determine what is
going on.  Can you grep your web server logs for that day for '.idq?' and
send those?  That's the only way your going to determine if it is a false
alarm, whether the attack worked, etc..

In general, the rule is well-written.  It only goes off for requests
involving idq, and that exceed the normal request size.  Note that the
.ida version of this rule has been going off left and right due to Code
Red.

                                        Ryan


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

IDS553/web-iis_IIS ISAPI Overflow idq john . ruff (Aug 15)
- Re: IDS553/web-iis_IIS ISAPI Overflow idq Brian Caswell (Aug 15)
- Re: IDS553/web-iis_IIS ISAPI Overflow idq Ryan Russell (Aug 15)
- <Possible follow-ups>
- Re: IDS553/web-iis_IIS ISAPI Overflow idq Dr SuSE (Aug 15)