Rule:  
--

Sid:
1070

--

Summary:
Someone attempted a WebDAV SEARCH against a web server.

--
Impact:
If the target is IIS 5.0, then an attacker may have gotten a complete
directory listing from within the web root, which can be useful information
for attackers (could be a prelude to a more serious attack).  IIS 5.0's
WebDAV implementation is also vulnerable to a Denial of Service vulnerability
if the search string is too long.

--
Detailed Information:
IIS 5.0 includes an implementation of WebDAV for purposes of web publishing.
As shipped, it contains two vulnerabilities that can allow an attacker
to get a complete directory listing from the web root and to DoS the
web server.

--
Affected Systems:
 
--
Attack Scenarios:
Attacker gets a listing by sending something like:
SEARCH / HTTP/1.1
Attacker DoSes the web server using pre-existing tools.

--
Ease of Attack:
Requires that the attacker run a pre-existing tool for the DoS, or
hand-crafting a URL to get a directory listing.

--
False Positives:
None Known
Legitimate web publishers may find use for SEARCH commands.

--
False Negatives:
None Known

--
Corrective Action:
Examine the packet to determine whether this was likely an attack or not.
Try to determine whether this was from a legitimate web publisher or not.
Try to determine whether the target web server was IIS 5.0, and if so
whether it is properly patched and configured to resist these attacks.

--
Contributors:
Original rule writer unknown
Original document author unkown
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:
CVE:  CVE-2000-0951
Bugtraq:  BID 1756
Bugtraq:  BID 2483
