Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort 1.8.1 somtimes not logging packets on .ida attempt rule

From: Russell Fulton <r.fulton () auckland ac nz>
Date: Mon, 15 Oct 2001 15:58:40 +1300 (NZDT)
Greetings,
          I am running snort 1.8.1 on a debian linux system.  With the 
demise of Code Red II the noise level on the .ida alerts has dropped 
way down but I am still seeing a trickle of ida alerts.  A few are the 
old original code red (with the NNNN padding) as expected but others 
don't have any packet captures to correspond to the alerts.

I also have an old snort 1.7 running on another box watching the same 
bit of network and this one does not record the .ida attempts that fail 
to produce packet captures on 1.8.1 (yes I do have an ida? rule in the 
1.7 ruleset).

I have verified in at least one instance that the alert was correct by 
examining the logs of the web server which was targetted.

[**] [1:1243:1] WEB-IIS ISAPI .ida attempt [**]
 [Classification: Attempted Administrator Privilege Gain] [Priority: 10]
 10/15-14:11:29.254613 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x0 len:0x5EE
 212.45.6.18:48445 -> 130.216.74.20:80 TCP TTL:240 TOS:0x10 ID:0 
IpLen:20 DgmLen:1504
 ***AP*** Seq: 0xA70ABE0D Ack: 0x73F6BD5A Win: 0x2238 TcpLen: 20

212.45.6.18 - - [15/Oct/2001:14:11:29 +1300] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
  HTTP/1.0" 400 336 "-" "-"


Here is the ida rule that I am using  on 1.8.1:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI 
.ida attempt"; uricontent:".ida?"; nocase; dsize:>239; flags:A+; 
reference:arachnids,552; classtype:attempted-admin; 
reference:cve,CAN-2000-0071; sid:1243; rev:1;)

and 1.7:

alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS552/web-iis_IIS 
ISAPI Overflow ida"; flags: A; content: ".ida?";) 

Any ideas why 1.7 isn't logging these and (more importantly ;-) 1.8.1 
isnt logging the packet.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: