>> Actually if you are using the UrlScan.dll then it will get stoped >> and logged in the urlscan.log file. So IDS is not the only way and >> the UrlScan is a free utility from M$. What about if a WebDAV application which depends on the use of that method ? If is not needed for example in a Exchange 2000 Outlook Web Access? http://support.microsoft.com/?kbid=309677 I love UrlScan, don't misinterpret me... But in some case one may not be able to block the PROPFIND verb... So basically: IF I DON'T USE IT, I have it disabled, the exploit won't work BUT I log it. IF I USE IT, the exploit will succeed, and no logging will be made. Am I wrong? Daniele Muscetta www.muscetta.com ----- Original Message Follows ----- > Hi all -- > > It would appear that exploits of MS03-007 are not going to create > entries in the IIS access logs. IIS doesn't log until a client > request is finished processing. When the WebDAV vector is used to > overflow whatever-it-is in ntdll.dll, the client request never > finishes, so no log message is ever created. [...] _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Mar 19 2003 - 14:27:15 PST