[unisog] IIS problem du jour

Gary Flynn flynngn at jmu.edu
Tue Mar 18 15:15:31 GMT 2003


Joshua Wright wrote:
 > Can anyone shed some light on a signature that could be used to detect
 > this tool?  The snort-sigs list hasn't come up with a signature for this
 > attack yet.  If anyone believes they are seeing attacks to exploit this
 > vulnerability, please share obfuscated logging information from IIS.

I haven't had a chance to examine capture data for these but
here ya go....

Here is an exploit sig from Symantec:
  http://securityresponse.symantec.com/avcenter/security/Content/3.17.2003.html

There are some sigs to detect general webdav operations
attached. They were posted to the snort-sigs list by Frank
Knobbe.

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe
-------------- next part --------------
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method LOCK"; flow:to_server,established; content:"LOCK "; offset:0; depth:5; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method OPTIONS"; flow:to_server,established; content:"OPTIONS "; offset:0; depth:8; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method TRACE"; flow:to_server,established; content:"TRACE "; offset:0; depth:6; classtype:web-application-activity;)
#log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method GET"; flow:to_server,established; content:"GET "; offset:0; depth:4; classtype:web-application-activity;)
#log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method POST"; flow:to_server,established; content:"POST "; offset:0; depth:5; classtype:web-application-activity;)
#log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method HEAD"; flow:to_server,established; content:"HEAD "; offset:0; depth:5; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method BDELETE"; flow:to_server,established; content:"BDELETE "; offset:0; depth:8; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method DELETE"; flow:to_server,established; content:"DELETE "; offset:0; depth:7; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method PUT"; flow:to_server,established; content:"PUT "; offset:0; depth:4; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method BCOPY"; flow:to_server,established; content:"BCOPY "; offset:0; depth:6; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method COPY"; flow:to_server,established; content:"COPY "; offset:0; depth:5; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method BMOVE"; flow:to_server,established; content:"BMOVE "; offset:0; depth:6; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method MOVE"; flow:to_server,established; content:"MOVE "; offset:0; depth:5; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method MKCOL"; flow:to_server,established; content:"MKCOL "; offset:0; depth:5; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method BPROPFIND"; flow:to_server,established; content:"BPROPFIND "; offset:0; depth:10; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method PROPFIND"; flow:to_server,established; content:"PROPFIND "; offset:0; depth:9; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method BPROPPATCH"; flow:to_server,established; content:"BPROPPATCH "; offset:0; depth:11; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method PROPPATCH"; flow:to_server,established; content:"PROPPATCH "; offset:0; depth:10; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method UNLOCK"; flow:to_server,established; content:"UNLOCK "; offset:0; depth:7; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method SEARCH"; flow:to_server,established; content:"SEARCH "; offset:0; depth:7; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method POLL"; flow:to_server,established; content:"POLL "; offset:0; depth:5; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method SUBSCRIBE"; flow:to_server,established; content:"SUBSCRIBE "; offset:0; depth:10; classtype:web-application-activity;)
log tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Method UNSUBSCRIBE"; flow:to_server,established; content:"UNSUBSCRIBE "; offset:0; depth:12; classtype:web-application-activity;)



More information about the unisog mailing list