RE: Unicode Attack

From: Palmer, Justin (justin.palmer@imacorp.com)
Date: 11/14/02 

From: "Palmer, Justin" <justin.palmer@imacorp.com>
To: incidents@securityfocus.com
Date: Thu, 14 Nov 2002 11:31:21 -0600

Nick,

The guy is seeing "ATTACK RESPONSES http dir listing". The signature for
that alert is as follows:

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
RESPONSES http dir listing"; content: "Volume Serial Number";
flow:from_server,established; classtype:bad-unknown; sid:1292; rev:4;)

Clearly this isn't simply probes, but snort alerts indicating his web
servers are _responding_ to the probes with a reply. In this case an
established connection from his web servers sending the string "Volume
Serial Number". Could be a false alarm obviously if that is a legitimate
phrase in his web content, but I doubt it.

> From: Nick FitzGerald [mailto:nick@virus-l.demon.co.uk]
> Sent: Wednesday, November 13, 2002 7:35 PM
>
>
> "Jeremy Junginger" <jjunginger@usbestcrm.com> wrote:
>
> > It's time again to ask the group for some assistance with
> interpretation
> > of web logs and snort alerts. There was some funny
> activity on the web
> > farm. I noticed a couple "ATTACK RESPONSES-http dir
> listing" attacks on
> > some of our web servers, queueing me in to the fact that
> the servers in
> > question were not patched against a Unicode-type vulnerability. ...
>
> Huh?
>
> Your Snort logs will include everything "odd" (as defined by the
> Snort ruleset) that goes past your Snort sensors. Nothing seen in
> such incoming traffic means anything about your machines being
> vulnerable (well, nothing of the sort you report here means your
> machines are vulnerable). An "attack" as you call it ("probe" might
> be a little less emotive and thus help sort things out) does not mean
> you have anything attackable. The same requests directed to an
> Apache clearly would not be "an attack", as it is not if directed to
> a patched IIS box. Snort (or any other IDS) with the same detection
> rules monitoring such traffic though will flag it regardless that the
> target is an IIS or Apache box.
>
> >

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: IDS Project
    ... I'm doing the some test on the NFR and on the SNORT systems. ... the IDS have raised the correct type of alert. ... When I've reached the blinding point (example 1% of attack lost), ...
    (Focus-IDS)
  • Re: [Full-Disclosure] IDS Signatures
    ... do take a look at snort. ... firewall, so that when snort sees as attack, i ... >> a database of intrusion signatures using MySQL database. ... >> algorithm be appropriate for pattern matching in IDS?) ...
    (Full-Disclosure)
  • Re: [Full-Disclosure] IDS Signatures
    ... > firewall, so that when snort sees as attack, i ... take a look at Snortsam. ... had script, like you have now, running on Snort and a Checkpoint ...
    (Full-Disclosure)
  • Re: Snort + RedHat v7.2 - Back to Basics
    ... >> To date, I've convinced snort to monitor eth1, but I've only managed to ... > but the attack is against the external address. ... No sense in running snort just to pickup portscans. ...
    (comp.os.linux.security)
  • Re: sidestep
    ... Snort 1.8.7 is hideously out of date (not to mention the huge buffer ... If you use version 2.0 with the default rule set ... > destination IP, number of times attacked, or the time of day an attack ... > No wonder why you're swamped with false positives! ...
    (Focus-IDS)