IDS553/web-iis_IIS ISAPI Overflow idq

[john.ruff () us abb com]

One of the rules I'm using for Code Red is generating alerts that seem to be
false, rather I'm not sure their reliable.

Rule from Whitehats.com:
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS553/web-iis_IIS ISAPI Overflow
idq";
dsize: >239; flags: A+; uricontent: ".idq?"; classtype: system-or-info-attempt;
reference: arachnids,553;)

Here are my log entries.  In all cases the traffic flow is from 'web proxy
client' --> 'MS Proxy Server'.  What
are the chances that this is a false alarm.  I've scanned these clients with
Eeye's scanner (v 2.7) and come
up with nothing.


[**] [1:0:0] IDS553/web-iis_IIS ISAPI Overflow idq [**]
[Classification: (null)] [Priority: 0]
08/13-20:15:07.904880 <web proxy client>:2251 -> <MS Proxy Server>:80
TCP TTL:124 TOS:0x0 ID:12513 IpLen:20 DgmLen:755 DF
***AP*** Seq: 0x6D986554  Ack: 0x30753892  Win: 0x1DF7  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS553]

[**] [1:1245:1] WEB-IIS ISAPI .idq access [**]
[Classification: Attempted Information Leak] [Priority: 3]
08/13-20:16:00.999006 <web proxy client>:2254 -> <MS Proxy Server>:80
TCP TTL:124 TOS:0x0 ID:24289 IpLen:20 DgmLen:1030 DF
***AP*** Seq: 0x6D996F64  Ack: 0x3075042D  Win: 0x1EB2  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS553]



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users