Microsoft Security Advisory (971491) published on May 18, 2009 concerns a vulnerability in IIS that may allow unauthorized access to an area of a website that would normally be protected.

An attack against IIS 6.0 with WebDAV enabled was published at milw0rm (

Snort already has coverage for this vulnerability by using the http_inspect preprocessor. In order to detect attacks, make sure that ascii yes or utf_8 yes is added to your configuration.

For example:

preprocessor http_inspect_server: server default \    ports { 80 8080 } \    server_flow_depth 0 \    ascii yes \ # or “utf_8 yes”    double_decode yes \    non_rfc_char { 0x00 } \    chunk_length 500000 \    non_strict \    oversize_dir_length 300

It is also possible to detect this activity using rules, if there is sufficient interest, let us know and we'll post them here.