# $Id: web-iis.rules,v 1.17 2001/08/07 02:18:44 roesch Exp $#--------------# WEB-IIS RULES#--------------alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS webdav file lock attempt"; flags:A+; content:"LOCK "; offset:0; depth:5; reference:bugtraq,2736; classtype:bad-unknown; sid:969; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS multiple decode attempt"; flags:A+; uricontent:"%5c"; uricontent:".."; reference:cve,CAN-2001-0333; classtype:attempted-user; sid:970; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .printer access"; uricontent:".printer"; nocase; flags:A+; reference:cve,CAN-2001-0241; reference:arachnids,533; classtype:attempted-recon; sid:971; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida attempt"; uricontent:".ida?"; nocase; dsize:>239; flags:A+; reference:arachnids,552; classtype:attempted-admin; reference:cve,CAN-2000-0071; sid:1243; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida access"; uricontent:".ida"; nocase; flags:A+; reference:arachnids,552; classtype:attempted-recon; reference:cve,CAN-2000-0071; sid:1242; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq attempt"; uricontent:".idq?"; nocase; dsize:>239; flags:A+; reference:arachnids,553; classtype:attempted-admin; reference:cve,CAN-2000-0071; sid:1244; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq access"; uricontent:".idq"; nocase; flags:A+; reference:arachnids,553; classtype:attempted-recon; reference:cve,CAN-2000-0071; sid:1245; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS %2E-asp access";flags: A+; uricontent:"%2e.asp"; nocase; reference:bugtraq,1814; reference:cve,CAN-1999-0253; classtype:attempted-recon; sid:972; rev:2;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS *.idc attempt";flags: A+; content:"*.idc"; nocase; reference:bugtraq,1448; reference:cve,CVE-1999-0874; classtype:attempted-recon; sid:973; rev:2;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ..\.. access";flags: A+; content:"|2e2e5c2e2e|"; reference:bugtraq,2218; reference:cve,CAN-1999-0229; classtype:attempted-recon; sid:974; rev:2;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS .asp$data access";flags: A+; uricontent:".asp|3a3a|$data"; nocase; reference:bugtraq,140; reference:cve,CVE-1999-0278; classtype:attempted-recon; sid:975; rev:2;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS .bat? access";flags: A+; uricontent:".bat?&"; nocase; reference:bugtraq,2023; reference:cve,CVE-1999-0233; classtype:attempted-recon; sid:976; rev:2;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS .cnf access"; content:".cnf"; nocase; flags:a+; classtype:attempted-recon; sid:977; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ASP contents view"; flags: A+; content:"%20&CiRestriction=none&CiHiliteType=Full"; reference:cve,CAN-2000-0302; reference:bugtraq,1084; classtype:attempted-recon; sid:978; rev:2;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ASP contents view"; flags: A+; uricontent:"/null.htw?CiWebHitsFile"; reference:bugtraq,1861; classtype:attempted-recon; sid:979; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS CGImail.exe access";flags: A+; uricontent:"/scripts/CGImail.exe"; nocase; reference:cve,CAN-2000-0726; reference:bugtraq,1623; classtype:attempted-recon; sid:980; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS File permission canonicalization"; uricontent:"/scripts/..%c0%af../"; flags: A+; nocase; classtype:attempted-admin; sid:981; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS File permission canonicalization"; uricontent:"/scripts/..%c1%1c../"; flags: A+; nocase; classtype:attempted-admin; sid:982; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS File permission canonicalization"; uricontent:"/scripts/..%c1%9c../"; flags: A+; nocase; classtype:attempted-admin;  sid:983; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS JET VBA access";flags: A+; uricontent:"/scripts/samples/ctguestb.idc"; nocase; reference:bugtraq,307; reference:cve,CVE-1999-0874; classtype:attempted-recon; sid:984; rev:2;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS JET VBA access";flags: A+; uricontent:"/scripts/samples/details.idc"; nocase; reference:bugtraq,286; reference:cve,CVE-1999-0874; classtype:attempted-recon; sid:985; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS MSProxy access";flags: A+; uricontent:"/scripts/proxy/w3proxy.dll"; nocase; classtype:attempted-recon; sid:986; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS Overflow-htr access";flags: A+; content:"BBBB.htrHTTP"; nocase; classtype:attempted-recon; sid:987; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS SAM Attempt";flags: A+; content:"sam._"; nocase; classtype:attempted-recon; sid:988; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS Unicode2.pl script (File permission canonicalization")"; uricontent:"/sensepost.exe"; flags: A+; nocase; classtype:attempted-recon; sid:989; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS _vti_inf access";flags: A+; uricontent:"_vti_inf.html"; nocase; classtype:attempted-recon; sid:990; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS achg.htr access";flags: A+; uricontent:"/iisadmpwd/achg.htr"; nocase; reference:cve,CVE-1999-0407; reference:bugtraq,2110; classtype:attempted-recon; sid:991; rev:2;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS adctest.asp access";flags: A+; uricontent:"/msadc/samples/adctest.asp"; nocase; classtype:attempted-recon; sid:992; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS admin access";flags: A+; uricontent:"/scripts/iisadmin"; nocase; classtype:attempted-admin; sid:993; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS admin-default access";flags: A+; uricontent:"/scripts/iisadmin/default.htm"; nocase; classtype:attempted-admin; sid:994; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS admin.dll access";flags: A+; uricontent:"/scripts/iisadmin/ism.dll?http/dir"; nocase; reference:cve,CVE-2000-0630; reference:bugtraq,189; classtype:attempted-admin; sid:995; rev:2;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS anot.htr access";flags: A+; uricontent:"/iisadmpwd/anot"; nocase; reference:bugtraq,2110; reference:cve,CAN-1999-0407; classtype:attempted-recon; sid:996; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS asp-dot attempt";flags: A+; uricontent:".asp."; nocase; classtype:attempted-recon; sid:997; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS asp-srch attempt";flags: A+; uricontent:"#filename=*.asp"; nocase; classtype:attempted-recon; sid:998; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS bdir access";flags: A+; uricontent:"/scripts/iisadmin/bdir.htr"; nocase; classtype:attempted-admin; sid:999; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS bdir.ht access"; uricontent:"/bdir.htr"; nocase; flags:A+; classtype:attempted-recon; sid:1000; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS carbo.dll access";flags: A+; content:".carbo.dll"; content:"icatcommand="; nocase; reference:bugtraq,2126; classtype:attempted-recon; sid:1001; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd? acess";flags: A+; content:".cmd?&"; nocase; classtype:attempted-user; sid:1003; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS codebrowser Exair access";flags: A+; uricontent:"/iissamples/exair/howitworks/codebrws.asp"; nocase; reference:cve,CVE-1999-0499; classtype:attempted-recon; sid:1004; rev:1;)