TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

Try using:

(%5c|%2e|%2f).*exe$

Instead. This will make sure that the URL ends in "exe". This should
eliminate most false positives. The problem is that some sites (like Lycos)
do some double-escaping of URLS that show up in the request, so "http://"
gets encoded as "http%253a%252e%252e", triggering the signature. We are
currently updating the alert to show the updated signature. If anyone is
still seeing false positives, or even false negatives, please let me know,
or just call Support.
-jon

=====================================================================
Jon Larimer | Direct Dial: (404) 236-2843
Senior Researcher / X-Force | ISS Front Desk: (404) 236-2600
Internet Security Systems, Inc. |
=====================================================================

> -----Original Message-----
> From: Sloan, Scott (CIT) [mailto:SloanSmail.nih.gov]
> Sent: Friday, May 18, 2001 9:10 AM
> To: 'lperezscitum.com.mx'; issforumiss.net
> Subject: RE: Unicode and RealSecure
>
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of
> your message to
> majordomoiss.net Contact issforum-owneriss.net for help
> with any problems!
> --------------------------------------------------------------
> --------------
>
> I'm using it and it works great. The one that is causing
> problems (false
> positives) is the recent May 15, 2001,
> IIS URL Decoding Vulnerability. It's picking up valid web traffic.
>
> Has anyone else experienced this problem?
>
> -Scott
>
> -----Original Message-----
> From: Luis Javier Perez [mailto:lperezscitum.com.mx]
> Sent: Thursday, May 17, 2001 1:51 PM
> To: issforumiss.net
> Subject: Unicode and RealSecure
>
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of
> your message to
> majordomoiss.net Contact issforum-owneriss.net for help with any
> problems!
> --------------------------------------------------------------
> --------------
>
> Hi all.
>
> I followed the alert from october 26, 2000 from xforce
> (http://xforce.iss.net/alerts/advise68.php), where explains
> how to configure
> REALSECURE to detect the IIS UNICODE Exploit.
>
> I followed these directions but the sensor doesn´t detect anything..
> Have anyone configured these successfully??? i would really
> apreciate help..
>
>
> thanks.
>
>
> ISS RealSecure customers may use the following user-defined
> signature to
> detect
> this attack:
>
> >From the Sensor window, right-click the sensor and select Properties.
> Select your policy, and then click 'Customize'.
> Click the 'User Defined Events' tab.
> Click 'Add' on the right hand side of the dialog box.
> Type in a name for the event, such as 'IIS Unicode Translation'.
> In the 'Context' field, select 'URL_Data'.
> In the 'String' field, type the following:
> \.\.(\xC0|\xC1|\xE0|\xF0|\xF8|\xFC)
>
> Click 'Save', and then click 'Close'.
> Click 'Apply to Sensor' or 'Apply to Engine', depending on the version
> of RealSecure you are using.
>
> This will detect publicly known versions of this attack. This string
> looks for two periods, followed by either 0xC0, 0xC1, 0xE0,
> 0xF0, 0xF8,
> or 0xFC. This is a typical exploit scenario for this
> vulnerability. It is
> possible for this user-defined signature to report a false
> positive. ISS
> X-Force recommends that RealSecure administrators examine the event.
>
>
>
> _________________________________
> Luis Javier Perez Del Real
> Consultor en Seguridad
> SCITUM Consulting
> Tel. (52)55340062 xt. 2749
> lperezscitum.com.mx
>
>
> "Making the Theoretical Practical"
>
>
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]