An attack against IIS 6.0 with WebDAV enabled was published at milw0rm (http://www.milw0rm.com/exploits/8704).
Snort already has coverage for this vulnerability by using the http_inspect preprocessor. In order to detect attacks, make sure that
ascii yes
or utf_8 yes
is added to your configuration.For example:
preprocessor http_inspect_server: server default \
ports { 80 8080 } \
server_flow_depth 0 \
ascii yes \ # or “utf_8 yes”
double_decode yes \
non_rfc_char { 0x00 } \
chunk_length 500000 \
non_strict \
oversize_dir_length 300
It is also possible to detect this activity using rules, if there is sufficient interest, let us know and we'll post them here.
No comments:
Post a Comment