1243.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

--
Sid:
1243

--
Summary:
This event is generated when an attempt is made to access the .ida Indexing Service ISAPI filter. 

--
Impact:
Remote access.  This attack may allow execution of arbitrary commands in System context providing complete control of the server. 

--
Detailed Information:
Microsoft Internet Information Service (IIS) installs several Internet Service Application Programming Interface (ISAPI) extensions.  A buffer overflow vulnerability exists because of improper buffer checking in the .ida ISAPI filter.  This may allow execution of arbitrary commands with System level access on the vulnerable server.  The Code Rode worm used this vulnerability to propagate.

--
Affected Systems:
Windows NT 4.0 IIS 4.0
Windows 2000 IIS 5.0
Windows XP beta IIS 6.0 beta

--
Attack Scenarios:
An attacker can craft a special HTTP request that can cause a buffer overflow.  

--
Ease of Attack:
Simple. Send the following request to a vulnerable server:
GET /a.ida?NNNN... HTTP/1.0 where 240 N's or other characters are supplied. 

--
False Positives:
None Known.

--
False Negatives:
None Known.

--
Corrective Action:

Consider removing the .ida ISAPI filter if it is not necessary.
 
Download and install the appropriate patch mentioned in the Microsoft bulletin.

--
Contributors:
Original rule written by  Dr SuSE and C. Mayor. 
Modified by Brian Caswell <bmc@sourcefire.com>
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>

--
Additional References:

Arachnids
http://www.whitehats.com/info/IDS552

CERT
http://www.cert.org/incident_notes/IN-2001-08.html

Microsoft
http://www.microsoft.com/technet/security/bulletin/ms01-033.asp

eEye Digital Security
http://www.eeye.com/html/Research/Advisories/AD20010618.html


--