Snort mailing list archives
Re: FlexResp Running (I THINK!)
From: "Ben Johansen" <benj () intelisoft net>
Date: Thu, 30 Aug 2001 17:49:43 -0700
This is for Clarification. I was getting codered's like the rest of the world, so I said to my self "self I said" lets try flexresp on one of these, since it is regular event, (I set my watch by it, LOL). so that is why I am using the CMD.EXE for the test, well, and I am tired of the (h/cr/sl)ackers B-) The Dr. Watsons hit when the attack came in, Snort would start and run fine until the hit Snort is just running in a Command Prompt (cmd.exe) instance. Not as as Service Ben Johansen www.pcforge.com ----- Original Message ----- From: "Joe McAlerney" <joey () SiliconDefense com> To: <benj () intelisoft net> Cc: "Snort-Users" <snort-users () lists sourceforge net> Sent: Thursday, August 30, 2001 5:04 PM Subject: Re: [Snort-users] FlexResp Running (I THINK!)
Mike Steele and I are going to spend some time tomorrow looking into this, and other issues with the various Win32 builds. We'll be sure to report anything that comes out of our research, and hopefully get back with some solutions. Kind Regards, -Joe M. -- | Joe McAlerney joey () silicondefense com | | Silicon Defense - Technical Support for Snort | | http://www.silicondefense.com/ | +-- --+ Ben Johansen wrote:OK on winnt 4.0 running running Snort_flexresp_181 from silicon defense. NOTE: I have tried ; in the vars (like readme.flexresp states) same
problem
Vars in Config file ----------------- # just stop the offender var RESP_TCP resp:rst_snd # also kill a possible local counterpart var RESP_TCP_URG resp:rst_all under web-iis.rules tried ------------------------- alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1; $RESP_TCP;) - Dr. Watson alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1; $RESP_TCP_URG;) - Dr. Watson alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1; resp:rst_all;) - Dr. Watson But when I used the React instead of the Response alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1; react:block;) No Crash, and also no log entries in snort.log... I am assuming this is a good thing, and snort is blocking the trafic Any comments ;) Ben Johansen - www.pcforge.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FlexResp Running (I THINK!) Ben Johansen (Aug 30)
- Re: FlexResp Running (I THINK!) Joe McAlerney (Aug 30)
- Re: FlexResp Running (I THINK!) Ben Johansen (Aug 30)
- Re: FlexResp Running (I THINK!) Skip Carter (Aug 30)
- <Possible follow-ups>
- RE: FlexResp Running (I THINK!) Burleson, Lee (IA) (Aug 31)
- RE: FlexResp Running (I THINK!) Michael Davis (Aug 31)
- RE: FlexResp Running (I THINk!) Ben Johansen (Aug 31)
- Re: FlexResp Running (I THINK!) Joe McAlerney (Aug 30)