Microsoft Security Advisory (971491) published on May 18, 2009 concerns a vulnerability in IIS that may allow unauthorized access to an area of a website that would normally be protected.
An attack against IIS 6.0 with WebDAV enabled was published at milw0rm (http://www.milw0rm.com/exploits/8704).
Snort already has coverage for this vulnerability by using the http_inspect preprocessor. In order to detect attacks, make sure that ascii yes or utf_8 yes is added to your configuration.
For example:
preprocessor http_inspect_server: server default \ ports { 80 8080 } \ server_flow_depth 0 \ ascii yes \ # or “utf_8 yes” double_decode yes \ non_rfc_char { 0x00 } \ chunk_length 500000 \ non_strict \ oversize_dir_length 300It is also possible to detect this activity using rules, if there is sufficient interest, let us know and we'll post them here.