OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Sloan, Scott (CIT) (SloanSmail.nih.gov)
Date: Fri May 18 2001 - 08:09:49 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
    majordomoiss.net Contact issforum-owneriss.net for help with any problems!
    ----------------------------------------------------------------------------

    I'm using it and it works great. The one that is causing problems (false
    positives) is the recent May 15, 2001,
    IIS URL Decoding Vulnerability. It's picking up valid web traffic.

    Has anyone else experienced this problem?

    -Scott

    -----Original Message-----
    From: Luis Javier Perez [mailto:lperezscitum.com.mx]
    Sent: Thursday, May 17, 2001 1:51 PM
    To: issforumiss.net
    Subject: Unicode and RealSecure

    TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
    majordomoiss.net Contact issforum-owneriss.net for help with any
    problems!
    ----------------------------------------------------------------------------

    Hi all.

    I followed the alert from october 26, 2000 from xforce
    (http://xforce.iss.net/alerts/advise68.php), where explains how to configure
    REALSECURE to detect the IIS UNICODE Exploit.

    I followed these directions but the sensor doesn´t detect anything..
    Have anyone configured these successfully??? i would really apreciate help..

    thanks.

    ISS RealSecure customers may use the following user-defined signature to
    detect
    this attack:

    >From the Sensor window, right-click the sensor and select Properties.
    Select your policy, and then click 'Customize'.
    Click the 'User Defined Events' tab.
    Click 'Add' on the right hand side of the dialog box.
    Type in a name for the event, such as 'IIS Unicode Translation'.
    In the 'Context' field, select 'URL_Data'.
    In the 'String' field, type the following:
    \.\.(\xC0|\xC1|\xE0|\xF0|\xF8|\xFC)

    Click 'Save', and then click 'Close'.
    Click 'Apply to Sensor' or 'Apply to Engine', depending on the version
    of RealSecure you are using.

    This will detect publicly known versions of this attack. This string
    looks for two periods, followed by either 0xC0, 0xC1, 0xE0, 0xF0, 0xF8,
    or 0xFC. This is a typical exploit scenario for this vulnerability. It is
    possible for this user-defined signature to report a false positive. ISS
    X-Force recommends that RealSecure administrators examine the event.

    _________________________________
    Luis Javier Perez Del Real
    Consultor en Seguridad
    SCITUM Consulting
    Tel. (52)55340062 xt. 2749
    lperezscitum.com.mx

    "Making the Theoretical Practical"