On Tue, 21 Sep 2010 16:43:54 -0400, "McClinton, Rick" <[email protected]> wrote:
> So I found at this page the format of event log messages that will come up > when a system is being probed: > http://weblogs.asp.net/scottgu/archive/2010/09/20/frequently-asked-questions-about-the-asp-net-security-vulnerability.aspx > > Here are the rules I am writing to try to detect this attack: > > <rule id="100100" level="7" > > <if_sid>18103</if_sid> <!-- windows ERROR event --> > <id>3005</id> <!-- event code --> > <match>Padding is invalid and cannot be removed</match> > <description>.NET Cryptographic error</description> > </rule> > > <rule id="100101" level="12" frequency="6" timeframe="60"> > <if_matched_sid>100100</if_matched_sid> > <description>Multiple .NET Crypto errors possible POET attack</description> > <group>attack</group> > </rule> > > Comments/questions? Does it look like I have it correct? Rick, Thanks for sharing your rules. Is the event ID always going to be 3005? You may want to double-check that. Looks like it would work, though. Is there an exploit to check them? I'm not too current on the IIS stuff. I think OSSEC would also detect this attack indirectly through rule 31151. -- [I] Immutable Security Information Security, Privacy and Personal Liberty http://www.immutablesecurity.com
