Re: FrontPage Events

[Roelof JT Jonkman <roel () SiliconDefense com>]

Paul,

> I am seeing quite a bit of the _vti_rpc, _vti_inf, and _vti_bin events in my
> SNORT logs.  I am a little confused on exactly what would trigger these -
> being that some of the sources are "trusted" hosts.  I am also not having
> much luck finding good info on the web that explains what these events are
> and the types of events that trigger them (or if they are false positives,
> etc.).  Can someone recommend a good resource so that I may investigate
> these events further.

Excuse my lousy explanation, but this is what I know of it:

*vti* things are the frontpage extensions in IIS. vti stands for Vermeer
Technology Incorporated, the company MS bought that was producing frontpage.

Frontpage needs quite a few hooks into the server to do the 'publishing'
(Meaning putting it on the server) Particular directories and files
indicate that frontpage is enabled on a server. (the _vti_* things)
and particular directories contain cgi type scripts.

Of course the convenience of Frontpage, came with a gotcha: the
frontpage extensions are quite vulnerable to exploitation.

Although most of these are older exploits to my knowledge at least,
snort has signatures for this.  Older worms made use of this to
exploit IIS server

Not complete in explanation (I stay away from anything M$) but
hopefully it sheds some light on it.

                roel


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users