Sophie

Sophie

distrib > Mandriva > 8.2 > i586 > by-pkgid > 90137ba41868861e4af055de0961e4de > files > 34

snort-1.8.3-4mdk.i586.rpm

# (C) Copyright 2001, Martin Roesch, Brian Caswell, et al.  All rights reserved.
# $Id: web-iis.rules,v 1.28 2001/10/29 01:52:54 roesch Exp $
#--------------
# WEB-IIS RULES
#--------------

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS webdav file lock attempt"; flags:A+; content:"LOCK "; offset:0; depth:5; reference:bugtraq,2736; classtype:web-application-activity; sid:969; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .printer access"; uricontent:".printer"; nocase; flags:A+; reference:cve,CAN-2001-0241; reference:arachnids,533; classtype:web-application-activity; sid:971; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida attempt"; uricontent:".ida?"; nocase; dsize:>239; flags:A+; reference:arachnids,552; classtype:web-application-attack; reference:cve,CAN-2000-0071; sid:1243; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida access"; uricontent:".ida"; nocase; flags:A+; reference:arachnids,552; classtype:web-application-activity; reference:cve,CAN-2000-0071; sid:1242; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq attempt"; uricontent:".idq?"; nocase; dsize:>239; flags:A+; reference:arachnids,553; classtype:web-application-attack; reference:cve,CAN-2000-0071; sid:1244; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq access"; uricontent:".idq"; nocase; flags:A+; reference:arachnids,553; classtype:web-application-activity; reference:cve,CAN-2000-0071; sid:1245; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS %2E-asp access";flags: A+; uricontent:"%2e.asp"; nocase; reference:bugtraq,1814; reference:cve,CAN-1999-0253; classtype:web-application-activity; sid:972; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS *.idc attempt";flags: A+; content:"*.idc"; nocase; reference:bugtraq,1448; reference:cve,CVE-1999-0874; classtype:web-application-attack; sid:973; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ..\.. access";flags: A+; content:"|2e2e5c2e2e|"; reference:bugtraq,2218; reference:cve,CAN-1999-0229; classtype:web-application-attack; sid:974; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS .asp$data access";flags: A+; uricontent:".asp|3a3a|$data"; nocase; reference:bugtraq,140; reference:cve,CVE-1999-0278; classtype:web-application-attack; sid:975; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS .bat? access";flags: A+; uricontent:".bat?&"; nocase; reference:bugtraq,2023; reference:cve,CVE-1999-0233; classtype:web-application-activity; sid:976; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS .cnf access"; content:".cnf"; nocase; flags:a+; classtype:web-application-activity; sid:977; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ASP contents view"; flags: A+; content:"%20&CiRestriction=none&CiHiliteType=Full"; reference:cve,CAN-2000-0302; reference:bugtraq,1084; classtype:web-application-attack; sid:978; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ASP contents view"; flags: A+; uricontent:"/null.htw?CiWebHitsFile"; reference:bugtraq,1861; classtype:web-application-activity; sid:979; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS CGImail.exe access";flags: A+; uricontent:"/scripts/CGImail.exe"; nocase; reference:cve,CAN-2000-0726; reference:bugtraq,1623; classtype:web-application-activity; sid:980; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS File permission canonicalization"; uricontent:"/scripts/..%c0%af../"; flags: A+; nocase; classtype:web-application-attack; sid:981; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS File permission canonicalization"; uricontent:"/scripts/..%c1%1c../"; flags: A+; nocase; classtype:web-application-attack; sid:982; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS File permission canonicalization"; uricontent:"/scripts/..%c1%9c../"; flags: A+; nocase; classtype:web-application-attack;  sid:983; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS JET VBA access";flags: A+; uricontent:"/scripts/samples/ctguestb.idc"; nocase; reference:bugtraq,307; reference:cve,CVE-1999-0874; classtype:web-application-activity; sid:984; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS JET VBA access";flags: A+; uricontent:"/scripts/samples/details.idc"; nocase; reference:bugtraq,286; reference:cve,CVE-1999-0874; classtype:web-application-activity; sid:985; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS MSProxy access";flags: A+; uricontent:"/scripts/proxy/w3proxy.dll"; nocase; classtype:web-application-activity; sid:986; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS Overflow-htr access";flags: A+; content:"BBBB.htrHTTP"; nocase; classtype:web-application-attack; sid:987; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS SAM Attempt";flags: A+; content:"sam._"; nocase; classtype:web-application-attack; sid:988; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS Unicode2.pl script (File permission canonicalization)"; uricontent:"/sensepost.exe"; flags: A+; nocase; classtype:web-application-activity; sid:989; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS _vti_inf access";flags: A+; uricontent:"_vti_inf.html"; nocase; classtype:web-application-activity; sid:990; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS achg.htr access";flags: A+; uricontent:"/iisadmpwd/achg.htr"; nocase; reference:cve,CVE-1999-0407; reference:bugtraq,2110; classtype:web-application-activity; sid:991; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS adctest.asp access";flags: A+; uricontent:"/msadc/samples/adctest.asp"; nocase; classtype:web-application-activity; sid:992; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS admin access";flags: A+; uricontent:"/scripts/iisadmin"; nocase; classtype:web-application-attack; sid:993; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS admin-default access";flags: A+; uricontent:"/scripts/iisadmin/default.htm"; nocase; classtype:web-application-attack; sid:994; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS admin.dll access";flags: A+; uricontent:"/scripts/iisadmin/ism.dll?http/dir"; nocase; reference:cve,CVE-2000-0630; reference:bugtraq,189; classtype:web-application-attack; sid:995; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS anot.htr access";flags: A+; uricontent:"/iisadmpwd/anot"; nocase; reference:bugtraq,2110; reference:cve,CAN-1999-0407; classtype:web-application-activity; sid:996; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS asp-dot attempt";flags: A+; uricontent:".asp."; nocase; classtype:web-application-attack; sid:997; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS asp-srch attempt";flags: A+; uricontent:"#filename=*.asp"; nocase; classtype:web-application-attack; sid:998; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS bdir access";flags: A+; uricontent:"/scripts/iisadmin/bdir.htr"; nocase; classtype:web-application-activity; sid:999; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS bdir.ht access"; uricontent:"/bdir.htr"; nocase; flags:A+; classtype:web-application-activity; sid:1000; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd? acess";flags: A+; content:".cmd?&"; nocase; classtype:web-application-attack; sid:1003; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS codebrowser Exair access";flags: A+; uricontent:"/iissamples/exair/howitworks/codebrws.asp"; nocase; reference:cve,CVE-1999-0499; classtype:web-application-activity; sid:1004; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS codebrowser SDK access";flags: A+; uricontent:"/iissamples/sdk/asp/docs/codebrws.asp"; nocase;reference:bugtraq,167; classtype:web-application-activity; sid:1005; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cross-site scripting attempt"; uricontent:"/Form_JScript.asp"; nocase; flags:A+; classtype:web-application-attack; sid:1007; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS del attempt";flags: A+; content:"&del+/s+c|3a|\\*.*"; nocase; classtype:web-application-attack; sid:1008; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS directory listing"; uricontent:"/ServerVariables_Jscript.asp"; nocase; flags:A+; classtype:web-application-attack; sid:1009; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS encoding access"; flags: A+; content: "|25 31 75|";  reference:arachnids,200; classtype:web-application-activity; sid:1010; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS exec-src access";flags: A+; content:"#filename=*.exe"; nocase; classtype:web-application-activity; sid:1011; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS fpcount attempt"; flags: A+; uricontent:"/fpcount.exe"; content:"Digits=-"; nocase; reference:bugtraq,2252; classtype:web-application-attack; sid:1012; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS fpcount access";flags: A+; uricontent:"/fpcount.exe"; nocase; reference:bugtraq,2252; classtype:web-application-activity; sid:1013; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS getdrvrs access";flags: A+; uricontent:"/scripts/tools/getdrvrs.exe"; nocase; classtype:web-application-activity; sid:1014; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS getdrvs.exe access";flags: A+; uricontent:"/scripts/tools/getdrvs.exe"; nocase; classtype:web-application-activity; sid:1015; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS global-asa access";flags: A+; content:"global.asa"; nocase; classtype:web-application-activity; sid:1016; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS idc-srch attempt";flags: A+; content:"#filename=*.idc"; nocase; reference:cve,CVE-1999-0874; classtype:web-application-attack; sid:1017; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS iisadmpwd attempt";flags: A+; uricontent:"/iisadmpwd/aexp"; nocase; reference:bugtraq,2110; reference:cve,CVE-2000-0303; classtype:web-application-attack; sid:1018; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS index server file sourcecode attempt"; flags: A+; content:"?CiWebHitsFile=/"; content:"&CiRestriction=none&CiHiliteType=Full"; classtype:web-application-attack; sid:1019; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS isc$data attempt";flags: A+; content:".idc|3a3a|$data"; nocase; reference:bugtraq,307; reference:cve,CVE-1999-0874; classtype:web-application-attack; sid:1020; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ism.dll attempt"; flags: A+; content:"%20%20%20%20%20.htr"; nocase; reference:cve,CAN-2000-0457; reference:bugtraq,1193; classtype:web-application-attack; sid:1021; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS jet vba access";flags: A+; content:"/advworks/equipment/catalog_type.asp"; nocase; reference:bugtraq,286; reference:cve,CVE-1999-0874; classtype:web-application-activity; sid:1022; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS msadc/msadcs.dll access";flags: A+; uricontent:"/msadc/msadcs.dll"; nocase; reference:cve,CVE-1999-1011; reference:bugtraq,529; classtype:web-application-activity; sid:1023; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS newdsn.exe access";flags: A+; uricontent:"/scripts/tools/newdsn.exe"; nocase;reference:bugtraq,1818;reference:cve,CVE-1999-0191; classtype:web-application-activity; sid:1024; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS perl access";flags: A+; uricontent:"/scripts/perl"; nocase; classtype:web-application-activity; sid:1025; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS perl-browse0a attempt";flags: A+; content:"%0a.pl"; nocase; classtype:web-application-attack; sid:1026; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS perl-browse20 attempt";flags: A+; content:"%20.pl"; nocase; classtype:web-application-attack; sid:1027; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS query.asp access";flags: A+; uricontent:"/issamples/query.asp"; nocase; reference:bugtraq,193; reference:cve,CVE-1999-0449; classtype:web-application-activity; sid:1028; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS scripts-browse access";flags: A+; uricontent:"/scripts/|20|"; nocase; classtype:web-application-attack; sid:1029; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS search97.vts access";flags: A+; uricontent:"/search97.vts";reference:bugtraq,162; classtype:web-application-activity; sid:1030; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS showcode access"; uricontent:"/SiteServer/Publishing/viewcode.asp"; flags: A+; nocase; classtype:web-application-activity; sid:1031; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS showcode access"; uricontent:"/Sites/Knowledge/Membership/Inspired/ViewCode.asp"; flags: A+; nocase; classtype:web-application-activity; sid:1032; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS showcode access"; uricontent:"/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; flags: A+; nocase; classtype:web-application-activity; sid:1033; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS showcode access"; uricontent:"/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; flags: A+; nocase; classtype:web-application-activity; sid:1034; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS showcode access"; uricontent:"/Sites/Samples/Knowledge/Push/ViewCode.asp"; flags: A+; nocase; classtype:web-application-activity; sid:1035; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS showcode access"; uricontent:"/Sites/Samples/Knowledge/Search/ViewCode.asp"; flags: A+; nocase; classtype:web-application-activity; sid:1036; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS showcode.asp access";flags: A+; uricontent:"/selector/showcode.asp"; nocase; reference:cve,CAN-1999-0736; classtype:web-application-activity; sid:1037; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS site server config access";flags: A+; uricontent:"/adsamples/config/site.csc"; nocase;reference:bugtraq,256; classtype:web-application-activity; sid:1038; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS srch.htm access";flags: A+; uricontent:"/samples/isapi/srch.htm"; nocase; classtype:web-application-activity; sid:1039; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS srchadm access";flags: A+; uricontent:"/srchadm"; nocase; classtype:web-application-activity; sid:1040; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS uploadn.asp access";flags: A+; uricontent:"/scripts/uploadn.asp"; nocase; classtype:web-application-activity; sid:1041; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS view source via translate header"; flags: A+; content: "Translate|3a| F"; nocase;reference:arachnids,305; classtype:web-application-activity; sid:1042; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS viewcode.asp access"; uricontent:"/viewcode.asp"; nocase; flags:a+; classtype:web-application-activity; sid:1043; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS webhits access"; uricontent: ".htw"; flags: A+; dsize: >400;reference:arachnids,237; classtype:web-application-activity; sid:1044; rev:2;)
alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"WEB-IIS Unauthorized IP Access Attempt"; flags: A+; content:"403"; content:"Forbidden\:"; classtype:web-application-attack; sid:1045; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS site/iisamples access"; flags:A+; uricontent:"/site/iisamples"; nocase; classtype:web-application-activity; sid:1046; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS CodeRed v2 root.exe access"; flags: A+; uricontent:"scripts/root.exe?"; nocase; classtype:web-application-attack; sid: 1256; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS outlook web dos"; flags:A+; uricontent:"/exchange/LogonFrm.asp?"; nocase; content:"mailbox="; nocase; content:"|25 25 25|"; classtype:web-application-attack; reference:bugtraq,3223; sid:1283; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS multiple decode attempt"; flags:A+; uricontent:"%5c"; uricontent:".."; reference:cve,CAN-2001-0333; classtype:web-application-attack; sid:970; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS msdac access"; flags:A+; uricontent:"/msdac/"; nocase; classtype:web-application-activity; sid:1285; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS _mem_bin access"; flags:A+; uricontent:"/_mem_bin/"; nocase; classtype:web-application-activity; sid:1286; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS scripts access"; flags:A+; uricontent:"/scripts/"; nocase; classtype:web-application-activity; sid:1287; rev:2;)

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional