Snort mailing list archives
Re: FrontPage Events
From: Roelof JT Jonkman <roel () SiliconDefense com>
Date: Thu, 04 Apr 2002 14:32:52 -0800
Paul,
I am seeing quite a bit of the _vti_rpc, _vti_inf, and _vti_bin events in my SNORT logs. I am a little confused on exactly what would trigger these - being that some of the sources are "trusted" hosts. I am also not having much luck finding good info on the web that explains what these events are and the types of events that trigger them (or if they are false positives, etc.). Can someone recommend a good resource so that I may investigate these events further.
Excuse my lousy explanation, but this is what I know of it: *vti* things are the frontpage extensions in IIS. vti stands for Vermeer Technology Incorporated, the company MS bought that was producing frontpage. Frontpage needs quite a few hooks into the server to do the 'publishing' (Meaning putting it on the server) Particular directories and files indicate that frontpage is enabled on a server. (the _vti_* things) and particular directories contain cgi type scripts. Of course the convenience of Frontpage, came with a gotcha: the frontpage extensions are quite vulnerable to exploitation. Although most of these are older exploits to my knowledge at least, snort has signatures for this. Older worms made use of this to exploit IIS server Not complete in explanation (I stay away from anything M$) but hopefully it sheds some light on it. roel _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FrontPage Events Bradley, Paul (Apr 03)
- Re: FrontPage Events Roelof JT Jonkman (Apr 04)