Thanks for the inquiries. Here are rules that detect attacks against IIS 6.0 with WebDAV enabled.

(see yesterdays post for details)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV COPY remote authentication bypass attempt"; flow:to_server,established; content:"COPY"; http_method; pcre:"/^COPY\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:1; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV PROPFIND remote authentication bypass attempt"; flow:to_server,established; content:"PROPFIND"; http_method; pcre:"/^PROPFIND\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:2; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV PROPPATCH remote authentication bypass attempt"; flow:to_server,established; content:"PROPPATCH"; http_method; pcre:"/^PROPPATCH\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:3; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV MKCOL remote authentication bypass attempt"; flow:to_server,established; content:"MKCOL"; http_method; pcre:"/^MKCOL\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:4; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV MOVE remote authentication bypass attempt"; flow:to_server,established; content:"MOVE"; http_method; pcre:"/^MOVE\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:5; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV LOCK remote authentication bypass attempt"; flow:to_server,established; content:"LOCK"; http_method; pcre:"/^LOCK\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:6; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV UNLOCK remote authentication bypass attempt"; flow:to_server,established; content:"UNLOCK"; http_method; pcre:"/^UNLOCK\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:7; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV DAV remote authentication bypass attempt"; flow:to_server,established; content:"DAV"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:8; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Destination remote authentication bypass attempt"; flow:to_server,established; content:"Destination"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:9; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Depth remote authentication bypass attempt"; flow:to_server,established; content:"Depth"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:10; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV If remote authentication bypass attempt"; flow:to_server,established; content:"If"; http_header;  pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:11; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Lock-Token remote authentication bypass attempt"; flow:to_server,established; content:"Lock-Token"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:12; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Overwrite remote authentication bypass attempt"; flow:to_server,established; content:"Overwrite"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:13; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Timeout remote authentication bypass attempt"; flow:to_server,established; content:"Timeout"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:14; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Translate remote authentication bypass attempt"; flow:to_server,established; content:"Translate"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:15; rev:1;)


Note: These rules are covered by the Sourcefire VRT Certified Rules License agreement available here: http://www.snort.org/about_snort/licenses/vrt_license.html

Also, some browsers do not wrap the rules properly but highlight, copy and paste works just fine.