Snort mailing list archives
Re: mis-labelled WEB-MISC Microsoft Windows ASP.NET information disclosure attempt
From: Joel Esler <jesler () sourcefire com>
Date: Sun, 27 May 2012 19:21:40 -0400
Jason thanks. I'll take a look. -- Joel Esler On May 27, 2012, at 7:15 PM, Jason Haar <Jason_Haar () trimble com> wrote:
Hi there We've had this triggered by bots scanning our Linux/Apache web servers. However, when we first saw this, we got a bit freaked out because it implied we had unpatched IIS servers (well, that's how I interpreted it) I think this rule is mis-named. It doesn't detect ASP-related scans, it detects *any* webscanner. So I think it should be renamed and reclassified, eg alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-MISC web scanner/bot detected"; flow:to_client,established; file_data; content:"HTTP/1.1 404 Not Found"; fast_pattern:only; detection_filter:track by_dst, count 100, seconds 30; classtype:attempted-recon........... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- mis-labelled WEB-MISC Microsoft Windows ASP.NET information disclosure attempt Jason Haar (May 27)
- Re: mis-labelled WEB-MISC Microsoft Windows ASP.NET information disclosure attempt Joel Esler (May 27)