> I just installed Snort on my IIS/Proxy server on Monday. On Tuesday I
> logged 255 alerts for the unicode exploit. A check of the log file
> revealed that our server was attacking another server out on the
> internet. I've done the following:
I've had that too. However, the attacks came from a machine I knew were
not compromised, so I did a bit of digging.
From spp_http_decode.c :
---
if(((temp == 192) || /* c0 */
(temp == 193) || /* c1 */
(temp == 224) || /* e0 */
(temp == 240) || /* f0 */
(temp == 248) || /* f8 */
(temp == 252)) &&/* fc */
check_iis_unicode)
{
snprintf(logMessage, sizeof(logMessage),
MODNAME ": IIS Unicode attack
detected");
/*(*AlertFunc)(p, logMessage);*/
CallAlertFuncs(p, logMessage, NULL);
CallLogFuncs(p, logMessage, NULL);
}
---
I may be on thin ice here, but it turns out that some countryspecific
characters are encoded that way. :-) In particular, in my case, it
happened that the norwegian character with the HTML repersentation
ø (an "oe") has 8bit asciivalue of 248.
So, every time someone submitted a query to a searchengine, submitting
an email via web - or WHATEVER that contained an 'oe' -- snort
triggered.
.. I think.
I'm not a good C programmer, so it may be some other things that has to
happen before it triggers, but this is what I think it is. ;)
--
Rune Kristian Viken
This archive was generated by hypermail 2b30 : Sun Jun 24 2001 - 20:18:01 PDT