Rule:  
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC webdav search access"; flags: A+; content: "SEARCH "; depth: 8; nocase;reference:arachnids,474; classtype:web-application-activity; sid:1070; rev:2;)
--

Sid:
1070

--

Summary:
Someone attempted a WebDAV SEARCH against a web server.

--
Impact:
If the target is IIS 5.0, then an attacker may have gotten a complete
directory listing from within the web root, which can be useful information
for attackers (could be a prelude to a more serious attack).  IIS 5.0's
WebDAV implementation is also vulnerable to a Denial of Service vulnerability
if the search string is too long.

--
Detailed Information:
IIS 5.0 includes an implementation of WebDAV for purposes of web publishing.
As shipped, it contains two vulnerabilities that can allow an attacker
to get a complete directory listing from the web root and to DoS the
web server.

--
Attack Scenarios:
Attacker gets a listing by sending something like:
SEARCH / HTTP/1.1
Attacker DoSes the web server using pre-existing tools.

--
Ease of Attack:
Requires that the attacker run a pre-existing tool for the DoS, or
hand-crafting a URL to get a directory listing.

--
False Positives:
Legitimate web publishers may find use for SEARCH commands.

--
False Negatives:

--
Corrective Action:
Examine the packet to determine whether this was likely an attack or not.
Try to determine whether this was from a legitimate web publisher or not.
Try to determine whether the target web server was IIS 5.0, and if so
whether it is properly patched and configured to resist these attacks.

--
Contributors:

--
Additional References:
CVE:  CVE-2000-0951
Bugtraq:  BID 1756
Bugtraq:  BID 2483
