⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 web-iis.rules

📁 Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前
💻 RULES
📖 第 1 页 / 共 2 页
字号:
🔍
12 
# (C) Copyright 2001, Martin Roesch, Brian Caswell, et al.  All rights reserved.# $Id: web-iis.rules,v 1.1 2002/08/12 11:42:08 scara Exp $#--------------# WEB-IIS RULES#--------------alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .htr Transfer-Encoding\: chunked"; flow:to_server,established; uricontent:".htr"; nocase; content:"Transfer-Encoding\:"; nocase; content:"chunked"; nocase; classtype:web-application-attack; reference:bugtraq,5003; reference:cve,CAN-2002-0364; sid:1806; rev:1;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asp Transfer-Encoding\: chunked"; flow:to_server,established; uricontent:".asp"; nocase; content:"Transfer-Encoding\:"; nocase; content:"chunked"; nocase; classtype:web-application-attack; reference:bugtraq,4474; reference:cve,CAN-2002-0079; sid:1618; rev:6;)# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS header field buffer overflow attempt"; flow:to_server,established; content:"|3a|"; content:"|0a|"; content:"|00|"; classtype:web-application-attack; reference:bugtraq,4476; sid:1768; rev:2;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /StoreCSVS/InstantOrder.asmx request"; flow:to_server,established; uricontent:"/StoreCSVS/InstantOrder.asmx"; nocase; classtype:web-application-activity; sid:1626; rev:4;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS users.xml access"; flow:to_server,established; uricontent:"/users.xml"; nocase; classtype:web-application-activity; sid:1750; rev:3;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS as_web.exe access"; flow:to_server,established; uricontent:"/as_web.exe"; nocase; reference:bugtraq,4670; classtype:web-application-activity; sid:1753; rev:2;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS as_web4.exe access"; flow:to_server,established; uricontent:"/as_web4.exe"; nocase; reference:bugtraq,4670; classtype:web-application-activity; sid:1754; rev:2;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NewsPro administration authentication attempt"; flow:to_server,established; content:"logged,true"; classtype:web-application-activity; sid:1756; rev:2;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS pbserver access"; flow:to_server,established; uricontent:"/pbserver/pbserver.dll"; nocase; reference:url,www.microsoft.com/technet/security/bulletin/ms00-094.asp; classtype:web-application-activity; sid:1772; rev:3;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS trace.axd access"; flow:to_server,established; uricontent:"/trace.axd"; nocase; classtype:web-application-activity; sid:1660;  rev:3;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /isapi/tstisapi.dll access"; flow:to_server,established; uricontent:"/isapi/tstisapi.dll"; nocase; reference:cve,CAN-2001-0302; reference:bugtraq,2381; classtype:web-application-activity; sid:1484;  rev:3;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS mkilog.exe access"; flow:to_server,established; uricontent:"/mkilog.exe"; nocase; classtype:web-application-activity; sid:1485;  rev:3;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ctss.idc access"; flow:to_server,established; uricontent:"/ctss.idc"; nocase; classtype:web-application-activity; sid:1486;  rev:3;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /iisadmpwd/aexp2.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/aexp2.htr"; classtype:web-application-activity; sid:1487;  rev:3;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS webdav file lock attempt"; flow:to_server,established; content:"LOCK "; offset:0; depth:5; reference:bugtraq,2736; classtype:web-application-activity; sid:969;  rev:3;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .printer access"; uricontent:".printer"; nocase; flow:to_server,established; reference:cve,CAN-2001-0241; reference:arachnids,533; classtype:web-application-activity; sid:971;  rev:3;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida attempt"; uricontent:".ida?"; nocase; dsize:>239; flow:to_server,established; reference:arachnids,552; classtype:web-application-attack; reference:bugtraq,1065; reference:cve,CAN-2000-0071; sid:1243;  rev:6;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida access"; uricontent:".ida"; nocase; flow:to_server,established; reference:arachnids,552; classtype:web-application-activity; reference:cve,CAN-2000-0071; reference:bugtraq,1065; sid:1242;  rev:6;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .idq attempt"; uricontent:".idq?"; nocase; dsize:>239; flow:to_server,established; reference:arachnids,553; classtype:web-application-attack; reference:cve,CAN-2000-0071; reference:bugtraq,1065; sid:1244;  rev:6;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .idq access"; uricontent:".idq"; nocase; flow:to_server,established; reference:arachnids,553; classtype:web-application-activity; reference:cve,CAN-2000-0071; reference:bugtraq,1065; sid:1245;  rev:6;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS %2E-asp access";flow:to_server,established; uricontent:"%2e.asp"; nocase; reference:bugtraq,1814; reference:cve,CAN-1999-0253; classtype:web-application-activity; sid:972;  rev:5;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS *.idc attempt";flow:to_server,established; uricontent:"/*.idc"; nocase; reference:bugtraq,1448; reference:cve,CVE-1999-0874; classtype:web-application-attack; sid:973;  rev:7;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ..\.. access";flow:to_server,established; content:"|2e2e5c2e2e|"; reference:bugtraq,2218; reference:cve,CAN-1999-0229; classtype:web-application-attack; sid:974;  rev:6;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asp\:\:$DATA access";flow:to_server,established; uricontent:".asp|3a3a|$DATA"; nocase; reference:bugtraq,149; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q188806; reference:cve,CVE-1999-0278; classtype:web-application-attack; sid:975;  rev:7;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .bat? access";flow:to_server,established; uricontent:".bat?"; nocase; reference:bugtraq,2023; reference:cve,CVE-1999-0233; reference:url,support.microsoft.com/support/kb/articles/Q148/1/88.asp; reference:url,support.microsoft.com/support/kb/articles/Q155/0/56.asp; classtype:web-application-activity; sid:976;  rev:7;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cnf access"; uricontent:".cnf"; nocase; flow:to_server,established; classtype:web-application-activity; sid:977;  rev:6;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ASP contents view"; flow:to_server,established; content:"%20"; content:"&CiRestriction=none"; nocase; content:"&CiHiliteType=Full"; nocase; reference:cve,CAN-2000-0302; reference:bugtraq,1084; classtype:web-application-attack; sid:978;  rev:7;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ASP contents view"; flow:to_server,established; uricontent:".htw?CiWebHitsFile"; reference:bugtraq,1864; classtype:web-application-attack; sid:979;  rev:6;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CGImail.exe access";flow:to_server,established; uricontent:"/scripts/CGImail.exe"; nocase; reference:cve,CAN-2000-0726; reference:bugtraq,1623; classtype:web-application-activity; sid:980;  rev:5;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS File permission canonicalization"; uricontent:"/scripts/..%c0%af../"; flow:to_server,established; nocase; classtype:web-application-attack; sid:981;  rev:5;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS File permission canonicalization"; uricontent:"/scripts/..%c1%1c../"; flow:to_server,established; nocase; classtype:web-application-attack; sid:982;  rev:5;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS File permission canonicalization"; uricontent:"/scripts/..%c1%9c../"; flow:to_server,established; nocase; classtype:web-application-attack;  sid:983;  rev:5;)# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS JET VBA access";flow:to_server,established; uricontent:"/scripts/samples/ctguestb.idc"; nocase; reference:bugtraq,307; reference:cve,CVE-1999-0874; classtype:web-application-activity; sid:984;  rev:6;)# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS JET VBA access";flow:to_server,established; uricontent:"/scripts/samples/details.idc"; nocase; reference:bugtraq,286; reference:cve,CVE-1999-0874; classtype:web-application-activity; sid:985;  rev:5;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MSProxy access";flow:to_server,established; uricontent:"/scripts/proxy/w3proxy.dll"; nocase; classtype:web-application-activity; sid:986;  rev:5;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS +.htr code fragment attempt"; flow:to_server,established; uricontent:"+.htr"; nocase; reference:cve,CVE-2000-0630; classtype:web-application-attack; sid:1725;  rev:3;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .htr access"; flow:to_server,established; uricontent:".htr"; nocase; reference:cve,CVE-2000-0630; classtype:web-application-activity; sid:987;  rev:9;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SAM Attempt";flow:to_server,established; content:"sam._"; nocase; classtype:web-application-attack; sid:988;  rev:5;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Unicode2.pl script (File permission canonicalization)"; uricontent:"/sensepost.exe"; flow:to_server,established; nocase; classtype:web-application-activity; sid:989;  rev:5;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS _vti_inf access";flow:to_server,established; uricontent:"_vti_inf.html"; nocase; classtype:web-application-activity; sid:990;  rev:5;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS achg.htr access";flow:to_server,established; uricontent:"/iisadmpwd/achg.htr"; nocase; reference:cve,CVE-1999-0407; reference:bugtraq,2110; classtype:web-application-activity; sid:991;  rev:6;)# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS adctest.asp access";flow:to_server,established; uricontent:"/msadc/samples/adctest.asp"; nocase; classtype:web-application-activity; sid:992;  rev:5;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /scripts/iisadmin/default.htm access"; flow:to_server,established; uricontent:"/scripts/iisadmin/default.htm"; nocase; classtype:web-application-attack; sid:994;  rev:6;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ism.dll access";flow:to_server,established; uricontent:"/scripts/iisadmin/ism.dll?http/dir"; nocase; reference:cve,CVE-2000-0630; reference:bugtraq,189; classtype:web-application-attack; sid:995;  rev:7;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS anot.htr access";flow:to_server,established; uricontent:"/iisadmpwd/anot"; nocase; reference:bugtraq,2110; reference:cve,CVE-1999-0407; classtype:web-application-activity; sid:996;  rev:6;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS asp-dot attempt";flow:to_server,established; uricontent:".asp."; nocase; classtype:web-application-attack; sid:997;  rev:5;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS asp-srch attempt";flow:to_server,established; uricontent:"#filename=*.asp"; nocase; classtype:web-application-attack; sid:998;  rev:5;)# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS bdir access";flow:to_server,established; uricontent:"/scripts/iisadmin/bdir.htr"; nocase; classtype:web-application-activity; sid:999;  rev:5;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS bdir.htr access"; uricontent:"/bdir.htr"; nocase; flow:to_server,established; classtype:web-application-activity; sid:1000;  rev:6;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd32.exe access"; flow:to_server,established; content:"cmd32.exe"; nocase; classtype:web-application-attack; sid:1661;  rev:3;)
12

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -