[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: [Snort-sigs] Snort-sigs - 1242, 1243, 1244, 1245
From: "John Berkers" <berjo () ozemail ! com ! au>
Date: 2002-01-24 11:21:07
[Download RAW message or body]
IDA and IDQ access and attempt signature documentation
See attached files (4).
John Berkers ICQ: 112912
Network Services Hansen Corporation
john.berkers@hancorp.com.au berjo@ozemail.com.au
["snort-sig-1245.txt" (text/plain)]
Rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq \
access"; uricontent:".idq"; nocase; flags:A+; reference:arachnids,553; \
classtype:web-application-activity; reference:cve,CAN-2000-0071; sid:1245; rev:2;)
--
Sid: 1245
--
Summary: Somebody has attempted to access a potentially vulnerable web application on \
Microsoft IIS.
--
Impact: Possible system compomise.
--
Detailed Information: This signature indicates that someone has attempted to access \
a potentially vulnerable IIS ISAPI extension. IDA and IDQ scripts are processed by \
idq.dll, which is a component of the Indexing Service which provides support for \
administrative scripts (.ida) and Internet Data Queries (.idq).
--
Attack Scenarios: A malicious use this vulnerability to gain control of the server \
running IIS.
--
Ease of Attack: Easy. A number of worms (Code Red, Nimda) use this vulnerability to \
spread to web servers. There also exist a number of scripted utilities to exploit \
this vulnerability.
--
False Positives: There are legitimate uses for '.ida' and '.idq' scripts. You \
should know if any of them exist on y0ur web servers.
--
False Negatives:
--
Corrective Action: Install the latest patches from Microsoft. Remove the .ida and \
.idq script mappings using the IIS administration tool if they are not being used.
--
Contributors:
--
Additional References:
Microsoft Security Bulletin: MS01-033
["snort-sig-1242.txt" (text/plain)]
Rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida \
access"; uricontent:".ida"; nocase; flags:A+; reference:arachnids,552; \
classtype:web-application-activity; reference:cve,CAN-2000-0071; sid:1242; rev:2;)
--
Sid: 1242
--
Summary: Somebody has attempted to access a potentially vulnerable web application on \
Microsoft IIS.
--
Impact: Possible system compomise.
--
Detailed Information: This signature indicates that someone has attempted to access \
a potentially vulnerable IIS ISAPI extension. IDA and IDQ scripts are processed by \
idq.dll, which is a component of the Indexing Service which provides support for \
administrative scripts (.ida) and Internet Data Queries (.idq).
--
Attack Scenarios: A malicious use this vulnerability to gain control of the server \
running IIS.
--
Ease of Attack: Easy. A number of worms (Code Red, Nimda) use this vulnerability to \
spread to web servers. There also exist a number of scripted utilities to exploit \
this vulnerability.
--
False Positives: There are legitimate uses for '.ida' and '.idq' scripts. You \
should know if any of them exist on y0ur web servers.
--
False Negatives:
--
Corrective Action: Install the latest patches from Microsoft. Remove the .ida and \
.idq script mappings using the IIS administration tool if they are not being used.
--
Contributors:
--
Additional References:
Microsoft Security Bulletin: MS01-033
["snort-sig-1243.txt" (text/plain)]
Rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida \
attempt"; uricontent:".ida?"; nocase; dsize:>239; flags:A+; reference:arachnids,552; \
classtype:web-application-attack; reference:cve,CAN-2000-0071; sid:1243; rev:2;)
--
Sid: 1243
--
Summary: Somebody has attempted to exploit a potentially vulnerable web application \
on Microsoft IIS.
--
Impact: Possible system compomise.
--
Detailed Information: This signature indicates that someone has attempted to exploit \
a potentially vulnerable IIS ISAPI extension. IDA and IDQ scripts are processed by \
idq.dll, which is a component of the Indexing Service which provides support for \
administrative scripts (.ida) and Internet Data Queries (.idq).
The .ida? indicates that the script was passed an argument, and the dsize > 239 \
indicates that an overflow was attempted.
--
Attack Scenarios: A malicious use this vulnerability to gain control of the server \
running IIS.
--
Ease of Attack: Easy. A number of worms (Code Red, Nimda) use this vulnerability to \
spread to web servers. There also exist a number of scripted utilities to exploit \
this vulnerability.
--
False Positives: The likelyhood of false positives is low. Keep in mind however \
that this signature may trigger frequently due to a number of worms actively using \
this exploit to spread.
--
False Negatives:
--
Corrective Action: Install the latest patches from Microsoft. Remove the .ida and \
.idq script mappings using the IIS administration tool if they are not being used.
--
Contributors:
--
Additional References:
Microsoft Security Bulletin: MS01-033
["snort-sig-1244.txt" (text/plain)]
Rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq \
attempt"; uricontent:".idq?"; nocase; dsize:>239; flags:A+; reference:arachnids,553; \
classtype:web-application-attack; reference:cve,CAN-2000-0071; sid:1244; rev:2;)
--
Sid: 1244
--
Summary: Somebody has attempted to exploit a potentially vulnerable web application \
on Microsoft IIS.
--
Impact: Possible system compomise.
--
Detailed Information: This signature indicates that someone has attempted to exploit \
a potentially vulnerable IIS ISAPI extension. IDA and IDQ scripts are processed by \
idq.dll, which is a component of the Indexing Service which provides support for \
administrative scripts (.ida) and Internet Data Queries (.idq).
The .ida? indicates that the script was passed an argument, and the dsize > 239 \
indicates that an overflow was attempted.
--
Attack Scenarios: A malicious use this vulnerability to gain control of the server \
running IIS.
--
Ease of Attack: Easy. A number of worms (Code Red, Nimda) use this vulnerability to \
spread to web servers. There also exist a number of scripted utilities to exploit \
this vulnerability.
--
False Positives: The likelyhood of false positives is low. Keep in mind however \
that this signature may trigger frequently due to a number of worms actively using \
this exploit to spread.
--
False Negatives:
--
Corrective Action: Install the latest patches from Microsoft. Remove the .ida and \
.idq script mappings using the IIS administration tool if they are not being used.
--
Contributors:
--
Additional References:
Microsoft Security Bulletin: MS01-033
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic