'[Snort-sigs] Snort-sigs - 1242, 1243, 1244, 1245'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] Snort-sigs - 1242, 1243, 1244, 1245
From:       "John Berkers" <berjo () ozemail ! com ! au>
Date:       2002-01-24 11:21:07
[Download RAW message or body]

IDA and IDQ access and attempt signature documentation

See attached files (4).

    

John Berkers                                       ICQ: 112912
Network Services                            Hansen Corporation
john.berkers@hancorp.com.au               berjo@ozemail.com.au



["snort-sig-1245.txt" (text/plain)]

Rule:  alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq \
access"; uricontent:".idq"; nocase; flags:A+; reference:arachnids,553; \
classtype:web-application-activity; reference:cve,CAN-2000-0071; sid:1245; rev:2;)   

--
Sid: 1245

--

Summary: Somebody has attempted to access a potentially vulnerable web application on \
Microsoft IIS.

--
Impact: Possible system compomise.

--
Detailed Information:  This signature indicates that someone has attempted to access \
a potentially vulnerable IIS ISAPI extension.  IDA and IDQ scripts are processed by \
idq.dll, which is a component of the Indexing Service which provides support for \
administrative scripts (.ida) and Internet Data Queries (.idq).

--
Attack Scenarios:  A malicious use this vulnerability to gain control of the server \
running IIS.

--
Ease of Attack:  Easy.  A number of worms (Code Red, Nimda) use this vulnerability to \
spread to web servers.  There also exist a number of scripted utilities to exploit \
this vulnerability.

--
False Positives:  There are legitimate uses for '.ida' and '.idq' scripts.  You \
should know if any of them exist on y0ur web servers.

--
False Negatives:

--
Corrective Action:  Install the latest patches from Microsoft.  Remove the .ida and \
.idq script mappings using the IIS administration tool if they are not being used.

--
Contributors:

--
Additional References:
Microsoft Security Bulletin: MS01-033


["snort-sig-1242.txt" (text/plain)]

Rule:  alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida \
access"; uricontent:".ida"; nocase; flags:A+; reference:arachnids,552; \
classtype:web-application-activity; reference:cve,CAN-2000-0071; sid:1242; rev:2;) 

--
Sid: 1242

--

Summary: Somebody has attempted to access a potentially vulnerable web application on \
Microsoft IIS.

--
Impact: Possible system compomise.

--
Detailed Information:  This signature indicates that someone has attempted to access \
a potentially vulnerable IIS ISAPI extension.  IDA and IDQ scripts are processed by \
idq.dll, which is a component of the Indexing Service which provides support for \
administrative scripts (.ida) and Internet Data Queries (.idq).

--
Attack Scenarios:  A malicious use this vulnerability to gain control of the server \
running IIS.

--
Ease of Attack:  Easy.  A number of worms (Code Red, Nimda) use this vulnerability to \
spread to web servers.  There also exist a number of scripted utilities to exploit \
this vulnerability.

--
False Positives:  There are legitimate uses for '.ida' and '.idq' scripts.  You \
should know if any of them exist on y0ur web servers.

--
False Negatives:

--
Corrective Action:  Install the latest patches from Microsoft.  Remove the .ida and \
.idq script mappings using the IIS administration tool if they are not being used.

--
Contributors:

--
Additional References:
Microsoft Security Bulletin: MS01-033


["snort-sig-1243.txt" (text/plain)]

Rule:  alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida \
attempt"; uricontent:".ida?"; nocase; dsize:>239; flags:A+; reference:arachnids,552; \
classtype:web-application-attack; reference:cve,CAN-2000-0071; sid:1243; rev:2;) 

--
Sid: 1243

--

Summary: Somebody has attempted to exploit a potentially vulnerable web application \
on Microsoft IIS.

--
Impact: Possible system compomise.

--
Detailed Information:  This signature indicates that someone has attempted to exploit \
a potentially vulnerable IIS ISAPI extension.  IDA and IDQ scripts are processed by \
idq.dll, which is a component of the Indexing Service which provides support for \
administrative scripts (.ida) and Internet Data Queries (.idq).

The .ida? indicates that the script was passed an argument, and the dsize > 239 \
indicates that an overflow was attempted.

--
Attack Scenarios:  A malicious use this vulnerability to gain control of the server \
running IIS.

--
Ease of Attack:  Easy.  A number of worms (Code Red, Nimda) use this vulnerability to \
spread to web servers.  There also exist a number of scripted utilities to exploit \
this vulnerability.

--
False Positives:  The likelyhood of false positives is low.  Keep in mind however \
that this signature may trigger frequently due to a number of worms actively using \
this exploit to spread.

--
False Negatives:

--
Corrective Action:  Install the latest patches from Microsoft.  Remove the .ida and \
.idq script mappings using the IIS administration tool if they are not being used.

--
Contributors:

--
Additional References:
Microsoft Security Bulletin: MS01-033


["snort-sig-1244.txt" (text/plain)]

Rule:  alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq \
attempt"; uricontent:".idq?"; nocase; dsize:>239; flags:A+; reference:arachnids,553; \
classtype:web-application-attack; reference:cve,CAN-2000-0071; sid:1244; rev:2;) 

--
Sid: 1244

--
Summary: Somebody has attempted to exploit a potentially vulnerable web application \
on Microsoft IIS.

--
Impact: Possible system compomise.

--
Detailed Information:  This signature indicates that someone has attempted to exploit \
a potentially vulnerable IIS ISAPI extension.  IDA and IDQ scripts are processed by \
idq.dll, which is a component of the Indexing Service which provides support for \
administrative scripts (.ida) and Internet Data Queries (.idq).

The .ida? indicates that the script was passed an argument, and the dsize > 239 \
indicates that an overflow was attempted.

--
Attack Scenarios:  A malicious use this vulnerability to gain control of the server \
running IIS.

--
Ease of Attack:  Easy.  A number of worms (Code Red, Nimda) use this vulnerability to \
spread to web servers.  There also exist a number of scripted utilities to exploit \
this vulnerability.

--
False Positives:  The likelyhood of false positives is low.  Keep in mind however \
that this signature may trigger frequently due to a number of worms actively using \
this exploit to spread.

--
False Negatives:

--
Corrective Action:  Install the latest patches from Microsoft.  Remove the .ida and \
.idq script mappings using the IIS administration tool if they are not being used.

--
Contributors:

--
Additional References:
Microsoft Security Bulletin: MS01-033


_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic