Tuesday, September 1

Microsoft IIS 5/6 FTP 0Day

In my job, I see a lot of Snort rules being thrown around for this that, and the other thing. The thing I try to emphasize is not to make rules for rules sake. Don't write rules just because you can. Write rules because you have to.

So recently an exploit for Microsoft IIS's FTP daemon was released on Milw0rm. (Go find it yourself if you must.) Almost immediately I saw a ton of people trying to make rules for it. Turns out, rules didn't need to be made.

The Ftp_telnet preprocessor was written a long time ago to deal with these "buffer overflow" type of exploits. Plus, a lot of old rules were already in place to catch it.

Check out the VRT's blog post about it here. Use the rules and preprocessor alerts that they suggest.

So, lesson learned here? Before you try and write rules, get a pcap and run it through Snort with all the rules on already. You should have a separate instance of Snort that you use for running pcaps through that mimics your actual live set up. This instance of Snort should have every rule turned on and every preprocessor alert on. That way you can see, if you run a pcap through Snort, what alerts, and if you need to write a rule in the first place.

No comments: