I was wondering what others a using to detect this attack. I have looked through a few of the Snort sigs but I am not sure if I want to try and use them.
I grabbed these off the snort-sig list. Is their already a CSIDS sig for this that I am missing? Or has someone already written one for this?
(this is too content specific and easy to subvert)
alert tcp any any -> any $HTTP_PORTS (msg:"IIS_Webdav_Exploit";
content:"NNNNaaaa?cjjs HTTP/"; nocase; content:"Translate|3a| f";
nocase; reference:CAN-2003-0109; reference:BID 7116;)
(this one may cause false positives)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"IIS-WebDAV Exploit";
flow:established,to_server;content:!"/";offset:14; within:1000;)
Any thoughts?
thanks,
Geoff