Daniel, When we write a new signature to detect attempts to exploit a vulnerability, the actual exploit tools do not exist yet or are unavailable to us. In some cases they evolve rapidly after we release our updates. So sometimes it is difficult to predict all of the signatures a specific exploit tool will trigger.
In your example, all of the signatures are reporting on different aspects of the attack being launched against your site. WebDAV_Long_Rqst_BO is the most specific and indicates an attempt to exploit a particular vulnerability. HTTP_URL_Name_Very_Long is a protocol anomaly signature that indicates that the HTTP request is far larger than is normal. HTTP_IIS_Unicode_Wide_Encoding and HTTP_URL_Bad_Hex_Code detect particular techniques used to evade detection and/or IIS security. These latter two signatures combined with the others tends to reinforce the impression of a deliberate intrusion attempt and not some false positive. Once we recognize sets of signatures that trigger together, we update the rules in our tables to report only the most significant one. In this case, we would only report WebDAV_Long_Rqst_BO. Indeed, this change has already been made and we currently plan to include it in the next XPU. Thank you for your feedback. I would also be interested in hearing of other patterns of signatures that always seem to occur together. Paul -----Original Message----- From: Daniel Cerqueira dos Santos Fonseca - ATL [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 12:26 PM To: '[EMAIL PROTECTED]' Subject: [ISSForum] WebDAV BO Signature Hi everyone. We have recently updated one of our network sensors with X-Press Update 20.11, which has a signature for the recently discovered WebDAV IIS issue. However, recent possible attacks involving this event have been triggering others as well, such as Unicode_Wide_Encoding, Bad_Hex_Code and Name_Very_Long. The facts that these three ALWAYS happen when a WebDAV_Long_Rqst_BO happens, and precisely at the same time and count, appeared odd to me. Has anyone seen such cases too? Is that the desired behavior? If so, what is the point of having multiple events triggered by a single, specific attack? TIA, Daniel Fonseca TI - SSO :: System Security Office ATL - Algar Telecom Leste Tel.: +55 21 2528-9993 Cel.: +55 21 9427-9323 _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
