.ida Intrusion Attempt

From: Joe Smith (shadowm4nat_private)
Date: Thu Jul 19 2001 - 09:18:20 PDT

Next message: Dirk Brockhausen: "slice3 question"

Previous message: Joe Smith: "Re: .ida Intrusion Attempt"
Next in thread: Martin Roesch: "Re: .ida Intrusion Attempt"
Reply: Martin Roesch: "Re: .ida Intrusion Attempt"
Maybe reply: Keith.Morgan: "RE: .ida Intrusion Attempt"
Maybe reply: Tulchinskiy, Sasha: "RE: .ida Intrusion Attempt"
Maybe reply: Yom, Francis: "RE: .ida Intrusion Attempt"
Maybe reply: Dr SuSE: "Re: .ida Intrusion Attempt"
Maybe reply: Colby Rice: "RE: .ida Intrusion Attempt"
Reply: Ulrich Keil: "RE: .ida Intrusion Attempt"
Reply: Russell Fulton: "Re: .ida Intrusion Attempt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey all,

Just got this .ida attack on my sensors.  This is
cute, how it splits the GET from the default.ida?
query.

Please note that while snort did detect it, it wasn't
detected by the .ida rule.  Instead, it detected
it as a whisker splice attack.

alert TCP $EXTERNAL any -> $INTERNAL 80 (msg:
"IDS415/web-misc_http-whisker-splicing-attack-tab"; 
dsize: <5; flags: A+; content: "|09|"; classtype:
suspicious; reference: arachnids,415;)

alert TCP $EXTERNAL any -> $INTERNAL 80 (msg:
"IDS552/web-iis_IIS ISAPI Overflow ida"; dsize: >239; 
flags: A+; uricontent: ".ida?"; classtype:
system-or-info-attempt; reference: arachnids,552;)

I'm guessing that once snort found a match with
whisker, it stopped looking for other matches.

I've included the relavent frames for your review.

63.241.137.194-attacker        my.poor.website        
  HTTP     GET 
Frame 4 (60 on wire, 60 captured)
Ethernet II
Internet Protocol
Transmission Control Protocol, Src Port: 21500
(21500), Dst Port: 80 (80), Seq: 3988343872, Ack:
2181442487
Hypertext Transfer Protocol

   0  00d0 b790 dd6f 0002 1724 4800 0800 4500  
.....o...$H...E. 
  10  002c 105a 4000 7206 9c64 3ff1 89c2 3f59  
.,.Z@.r..d?...?Y 
  20  5301 53fc 0050 edb9 4c40 8206 2bb7 5018  
S.S..P..L@..+.P. 
  30  40b0 3ba1 0000 4745 5420 0000            
@.;...GET ..     


63.241.137.194-attacker        my.poor.website        
   HTTP     Continuation
Frame 5 (1434 on wire, 100 captured)
Ethernet II
Internet Protocol
Transmission Control Protocol, Src Port: 21500
(21500), Dst Port: 80 (80), Seq: 3988343876, Ack:
2181442487
Hypertext Transfer Protocol

   0  00d0 b790 dd6f 0002 1724 4800 0800 4500  
.....o...$H...E. 
  10  058c 105b 4000 7206 9703 3ff1 89c2 3f59  
...[@.r...?...?Y 
  20  5301 53fc 0050 edb9 4c44 8206 2bb7 5018  
S.S..P..LD..+.P. 
  30  40b0 0109 0000 2f64 6566 6175 6c74 2e69  
@...../default.i 
  40  6461 3f4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e  
da?NNNNNNNNNNNNN 
  50  4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e  
NNNNNNNNNNNNNNNN 
  60  4e4e 4e4e                                 NNNN  
          


__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: Dirk Brockhausen: "slice3 question"
Previous message: Joe Smith: "Re: .ida Intrusion Attempt"
Next in thread: Martin Roesch: "Re: .ida Intrusion Attempt"
Reply: Martin Roesch: "Re: .ida Intrusion Attempt"
Maybe reply: Keith.Morgan: "RE: .ida Intrusion Attempt"
Maybe reply: Tulchinskiy, Sasha: "RE: .ida Intrusion Attempt"
Maybe reply: Yom, Francis: "RE: .ida Intrusion Attempt"
Maybe reply: Dr SuSE: "Re: .ida Intrusion Attempt"
Maybe reply: Colby Rice: "RE: .ida Intrusion Attempt"
Reply: Ulrich Keil: "RE: .ida Intrusion Attempt"
Reply: Russell Fulton: "Re: .ida Intrusion Attempt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 16:44:58 PDT