RE: Unicode Attack
From: Palmer, Justin (justin.palmer@imacorp.com)Date: 11/14/02
- Previous message: BANIER Jeremie: "Re: Yahoo Messenger Stale Sessions"
- Maybe in reply to: Jeremy Junginger: "Unicode Attack"
- Next in thread: Information Security: "RE: Unicode Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Palmer, Justin" <justin.palmer@imacorp.com> To: incidents@securityfocus.com Date: Thu, 14 Nov 2002 11:31:21 -0600
Nick,
The guy is seeing "ATTACK RESPONSES http dir listing". The signature for
that alert is as follows:
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
RESPONSES http dir listing"; content: "Volume Serial Number";
flow:from_server,established; classtype:bad-unknown; sid:1292; rev:4;)
Clearly this isn't simply probes, but snort alerts indicating his web
servers are _responding_ to the probes with a reply. In this case an
established connection from his web servers sending the string "Volume
Serial Number". Could be a false alarm obviously if that is a legitimate
phrase in his web content, but I doubt it.
> From: Nick FitzGerald [mailto:nick@virus-l.demon.co.uk]
> Sent: Wednesday, November 13, 2002 7:35 PM
>
>
> "Jeremy Junginger" <jjunginger@usbestcrm.com> wrote:
>
> > It's time again to ask the group for some assistance with
> interpretation
> > of web logs and snort alerts. There was some funny
> activity on the web
> > farm. I noticed a couple "ATTACK RESPONSES-http dir
> listing" attacks on
> > some of our web servers, queueing me in to the fact that
> the servers in
> > question were not patched against a Unicode-type vulnerability. ...
>
> Huh?
>
> Your Snort logs will include everything "odd" (as defined by the
> Snort ruleset) that goes past your Snort sensors. Nothing seen in
> such incoming traffic means anything about your machines being
> vulnerable (well, nothing of the sort you report here means your
> machines are vulnerable). An "attack" as you call it ("probe" might
> be a little less emotive and thus help sort things out) does not mean
> you have anything attackable. The same requests directed to an
> Apache clearly would not be "an attack", as it is not if directed to
> a patched IIS box. Snort (or any other IDS) with the same detection
> rules monitoring such traffic though will flag it regardless that the
> target is an IIS or Apache box.
>
> >
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: BANIER Jeremie: "Re: Yahoo Messenger Stale Sessions"
- Maybe in reply to: Jeremy Junginger: "Unicode Attack"
- Next in thread: Information Security: "RE: Unicode Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
