1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
Rule:
--
Sid:
1292
--
Summary:
This may be post-compromise behavior indicating the use of Windows
directory listing tools.
--
Impact:
Varies, an attacker might have gained an ability to execute commands remotely
--
Detailed Information:
This rule is aimed at catching the standard Windows commands for
listing directories. The string "Volume Serial Number" is typically shown in
front of the directory listing on Windows NT/2000/XP. Seeing such a
response in the HTTP traffic indicates that somebody have managed to
"convince" the web server to spawn a shell bound to a web port and
have successfully executed at least one command to list the
directory. Note that the source address of this signature is actually
the victim and not the attacker as for the exploit signatures.
--
Affected Systems:
Microsoft Windows systems
--
Attack Scenarios:
An attacker gains an access to a Windows web server via IIS vulnerability
and manages to start a cmd.exe shell. He then proceeds to look for
interesting files on the compromised server via the "dir" command.
--
Ease of Attack:
Simple. This post-attack behavior can accompany different attacks.
--
False Positives:
The rule will generate an event if the string "Volume Serial Number" appears in the
content distributed by the web server, in which case the rule should be
tuned.
--
False Negatives:
None Known
--
Corrective Action:
Investigate the web server for signs of compromise,
Use system integrity checking software, check for other IDS alerts
involving the same IP addresses.
--
Contributors:
Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org>
Sourcefire Vulnerability Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
--
Additional References:
--
|
