Snort mailing list archives
IDS553/web-iis_IIS ISAPI Overflow idq
From: john.ruff () us abb com
Date: Wed, 15 Aug 2001 09:19:22 -0400
One of the rules I'm using for Code Red is generating alerts that seem to be false, rather I'm not sure their reliable. Rule from Whitehats.com: alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS553/web-iis_IIS ISAPI Overflow idq"; dsize: >239; flags: A+; uricontent: ".idq?"; classtype: system-or-info-attempt; reference: arachnids,553;) Here are my log entries. In all cases the traffic flow is from 'web proxy client' --> 'MS Proxy Server'. What are the chances that this is a false alarm. I've scanned these clients with Eeye's scanner (v 2.7) and come up with nothing. [**] [1:0:0] IDS553/web-iis_IIS ISAPI Overflow idq [**] [Classification: (null)] [Priority: 0] 08/13-20:15:07.904880 <web proxy client>:2251 -> <MS Proxy Server>:80 TCP TTL:124 TOS:0x0 ID:12513 IpLen:20 DgmLen:755 DF ***AP*** Seq: 0x6D986554 Ack: 0x30753892 Win: 0x1DF7 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS553] [**] [1:1245:1] WEB-IIS ISAPI .idq access [**] [Classification: Attempted Information Leak] [Priority: 3] 08/13-20:16:00.999006 <web proxy client>:2254 -> <MS Proxy Server>:80 TCP TTL:124 TOS:0x0 ID:24289 IpLen:20 DgmLen:1030 DF ***AP*** Seq: 0x6D996F64 Ack: 0x3075042D Win: 0x1EB2 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS553] _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IDS553/web-iis_IIS ISAPI Overflow idq john . ruff (Aug 15)
- Re: IDS553/web-iis_IIS ISAPI Overflow idq Brian Caswell (Aug 15)
- Re: IDS553/web-iis_IIS ISAPI Overflow idq Ryan Russell (Aug 15)
- <Possible follow-ups>
- Re: IDS553/web-iis_IIS ISAPI Overflow idq Dr SuSE (Aug 15)