RE: Unicode Attack

From: Palmer, Justin (justin.palmerat_private)
Date: Thu Nov 14 2002 - 09:31:21 PST

Next message: James C Slora Jr: "RE: Unicode Attack"

Previous message: BANIER Jeremie: "Re: Yahoo Messenger Stale Sessions"
Maybe in reply to: Jeremy Junginger: "Unicode Attack"
Next in thread: Information Security: "RE: Unicode Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Nick,

The guy is seeing "ATTACK RESPONSES http dir listing".  The signature for
that alert is as follows:

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
RESPONSES http dir listing"; content: "Volume Serial Number";
flow:from_server,established; classtype:bad-unknown; sid:1292; rev:4;) 

Clearly this isn't simply probes, but snort alerts indicating his web
servers are _responding_ to the probes with a reply.  In this case an
established connection from his web servers sending the string "Volume
Serial Number".  Could be a false alarm obviously if that is a legitimate
phrase in his web content, but I doubt it.


> From: Nick FitzGerald [mailto:nick@virus-l.demon.co.uk]
> Sent: Wednesday, November 13, 2002 7:35 PM
> 
> 
> "Jeremy Junginger" <jjungingerat_private> wrote:
> 
> > It's time again to ask the group for some assistance with 
> interpretation
> > of web logs and snort alerts.  There was some funny 
> activity on the web
> > farm.  I noticed a couple "ATTACK RESPONSES-http dir 
> listing" attacks on
> > some of our web servers, queueing me in to the fact that 
> the servers in
> > question were not patched against a Unicode-type vulnerability.  ...
> 
> Huh?
> 
> Your Snort logs will include everything "odd" (as defined by the 
> Snort ruleset) that goes past your Snort sensors.  Nothing seen in 
> such incoming traffic means anything about your machines being 
> vulnerable (well, nothing of the sort you report here means your 
> machines are vulnerable).  An "attack" as you call it ("probe" might 
> be a little less emotive and thus help sort things out) does not mean 
> you have anything attackable.  The same requests directed to an 
> Apache clearly would not be "an attack", as it is not if directed to 
> a patched IIS box.  Snort (or any other IDS) with the same detection 
> rules monitoring such traffic though will flag it regardless that the 
> target is an IIS or Apache box.
> 
> > 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: James C Slora Jr: "RE: Unicode Attack"
Previous message: BANIER Jeremie: "Re: Yahoo Messenger Stale Sessions"
Maybe in reply to: Jeremy Junginger: "Unicode Attack"
Next in thread: Information Security: "RE: Unicode Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 14 2002 - 14:16:40 PST