WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec
March 18, 2003
Intruder Alert 3.6 W2K_MS_IIS_WebDAV Policy

This policy contains a rule that detects attempts to overflow the ntdll.dll system component of WebDAV (Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability. A vulnerability in WebDAV fails to perform sufficient bounds checking on data that it passes to a particular system component.

This alert is a result of attempts to exploit an IIS machine.

NOTE: This policy only works if the instructions for installation and configuration of the ITAFilter.dll on the appropriate host have been implemented. These instructions are outlined below.

Download ITA W2K_MS_IIS_WebDAV Policy

Affected Platforms

Windows 2000 w/IIS 5.0

Description

This policy applies to all known WebDAV vulnerabilities.

Policy rules include:

  • WebDAV_Translate_Exploit_Detected
    This rule detects an exploit for an IIS WebDAV "Translate: F" overflow.

ITA ISAPI Installation Instructions

In order to use this policy for IIS, the ITA ISAPI Filter needs to be installed on the web server being monitored by an Intruder Alert agent.

Installation Instructions

Download the ISAPI filter from the Symantec Security Response Web site and copy it to the %SYSTEMROOT%\system32\inetsrv folder. Then open the Internet Services Manager and select the Server Icon.

  1. Right-Click the selected icon and scroll down until Properties has been selected. Click the Properties Menu item.

  2. Click the Edit button that is next to the Master Properties of the WWW Service.

  3. Click the ISAPI Filters Tab

  4. Click Add. Type a name for the ISAPI filter. Click Browse and select the ISAPI filter that you copied (%systemroot%\system32\inetsrv\ITAFilter.dll).

  5. Click Ok.

  6. Restart the IIS Service. To do this, return to (1) above and select Restart IIS..., or use the Services applet that is located in Control Panel (in Windows NT 4.0).

  7. Browse back to the ISAPI Filters tab (by following steps 1-5) and verify that the filter is loaded properly. You should see a green arrow pointing up under the Status column.

NOTE: The destination folder chosen for the ISAPI filter to reside should be accessible only by Administrators of the local machine. This will help to ensure that only authorized individuals can modify/replace/move the filter.



NOTE: It is assumed that all the latest applicable security updates, service packs and patches have been installed for each respective version of IIS.

Configuring External Audit Log Monitoring

To configure Intruder Alert to monitor an external audit log, follow the steps below.

  1. In the Registered Agents branch, select the Agent on the web server.



  2. Click NEW

    The Audit Log dialog box appears.



  3. In the Description box, type a description of the log file.

  4. In the File Name box, type the path and the filename to monitor. In this case the ITAFilter.log file will be found in the system folder where Intruder Alert was installed (i.e. C:\Program Files\Symantec\ITA\system\ITAFilter.log).

  5. Select Single Line for the single line log file.

  6. Select OK.

  7. Select Save from the Agent Configuration view.


Last modified on: Wednesday, 19-Mar-03 00:41:34
Site Map · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements
©1995 - 2008 Symantec Corporation