I wish I could test this, but the rules look properly formatted to me. Awesome work!
If anyone tests this and sees it in action, let us know. On Tue, Sep 21, 2010 at 4:43 PM, McClinton, Rick <[email protected]> wrote: > So all you ASP.NET guys are looking at your web.config files to see if your > customError is set. > > > > http://www.microsoft.com/technet/security/advisory/2416728.mspx > > > > So I found at this page the format of event log messages that will come up > when a system is being probed: > > http://weblogs.asp.net/scottgu/archive/2010/09/20/frequently-asked-questions-about-the-asp-net-security-vulnerability.aspx > > > > Here are the rules I am writing to try to detect this attack: > > > > <rule id="100100" level="7" > > > <if_sid>18103</if_sid> <!-- windows ERROR event --> > > <id>3005</id> <!-- event code --> > > <match>Padding is invalid and cannot be removed</match> > > <description>.NET Cryptographic error</description> > > </rule> > > > > <rule id="100101" level="12" frequency="6" timeframe="60"> > > <if_matched_sid>100100</if_matched_sid> > > <description>Multiple .NET Crypto errors possible POET attack</description> > > <group>attack</group> > > </rule> > > > > Comments/questions? Does it look like I have it correct? > > > > Thanks!! > > > > Rick > > > > PS Sorry about the following disclaimer. > > This message contains TMA Resources confidential information and is intended > only for the individual named. If you are not the named addressee you should > not disseminate, distribute or copy this e-mail. Please notify the sender > immediately by e-mail if you have received this e-mail by mistake and delete > this e-mail from your system. E-mail transmission cannot be guaranteed to be > secure or error-free as information could be intercepted, corrupted, lost, > destroyed, arrive late or incomplete, or contain viruses. The sender > therefore does not accept liability for any errors or omissions in the > contents of this message which arise as a result of e-mail transmission. If > verification is required please request a hard-copy version. >
