mis-labelled WEB-MISC Microsoft Windows ASP.NET information disclosure attempt

[Jason Haar <Jason_Haar () trimble com>]

Hi there

We've had this triggered by bots scanning our Linux/Apache web servers.
However, when we first saw this, we got a bit freaked out because it
implied we had unpatched IIS servers (well, that's how I interpreted it)

I think this rule is mis-named. It doesn't detect ASP-related scans, it
detects *any* webscanner. So I think it should be renamed and
reclassified, eg

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-MISC
web scanner/bot detected"; flow:to_client,established; file_data;
content:"HTTP/1.1 404 Not Found"; fast_pattern:only;
detection_filter:track by_dst, count 100, seconds 30;
classtype:attempted-recon...........

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!