Rule:--Sid:1242--Summary:This event is generated when an attempt is made to access the .ida Indexing Service ISAPI filter. --Impact:Intelligence gathering activity. If an .ida file is erroneously shared from a network share, an error message is returned from a request that contains the share path will be disclosed.--Detailed Information:Microsoft Internet Information Service (IIS) installs several Internet Service Application Programming Interface (ISAPI) extensions.  The .ida ISAPI filter provides support for administrative scripts.  Files with the .ida suffix should not be located on network shares.  If an attempt is made to access them from a network share, an error message is returned disclosing the share path.  --Affected Systems:Hosts running IIS 4.0Hosts running IIS 5.0--Attack Scenarios:An attacker can attempt to access a file with the .ida suffix in an attempt to receive an error message with disclosure about the share path.--Ease of Attack:Simple. --False Positives:The HotSaNIC (hotsanic.sourceforge.net) System and Network Info Centrecan graph the occurence of worms attacks on a server against time. TheHotSaNIC system displays 'WEB-IIS ISAPI .ida access' attempts on theserver in images named default.ida-year.gif, default.ida-month.gif,default.ida-week.gif and also using a web page default.ida.html. Eachtime any of these components are accessed it generates an event.--False Negatives:None Known.--Corrective Action:Do not place files with the .ida suffix on a network share. --Contributors:Original rule written by Dr SuSE and C. Mayor Modified by Brian Caswell <bmc@sourcefire.com>Sourcefire Research TeamJudy Novak <judy.novak@sourcefire.com>False positive information contributed by Chris McMahon <chris@mcmahon.co.uk>--Additional References:Arachnidshttp://www.whitehats.com/info/IDS552CVEhttp://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0071--