Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WebDav Exploit Sig

I was wondering what others a using to detect this attack. I have looked through a few of the Snort sigs but I am not sure if I want to try and use them.

I grabbed these off the snort-sig list. Is their already a CSIDS sig for this that I am missing? Or has someone already written one for this?

(this is too content specific and easy to subvert)

alert tcp any any -> any $HTTP_PORTS (msg:"IIS_Webdav_Exploit";

content:"NNNNaaaa?cjjs HTTP/"; nocase; content:"Translate|3a| f";

nocase; reference:CAN-2003-0109; reference:BID 7116;)

(this one may cause false positives)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS

(msg:"IIS-WebDAV Exploit";

flow:established,to_server;content:!"/";offset:14; within:1000;)

Any thoughts?

thanks,

Geoff

1 REPLY
Cisco Employee

Re: WebDav Exploit Sig

82
Views
0
Helpful
1
Replies