Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FlexResp Running (I THINK!)

From: "Ben Johansen" <benj () intelisoft net>
Date: Thu, 30 Aug 2001 17:49:43 -0700
This is for Clarification.

I was getting codered's like the rest of the world, so I said to my self
"self I said" lets try flexresp on one of these, since it is regular event,
(I set my watch by it,  LOL).
so that is why I am using the CMD.EXE for the test, well, and I am tired of
the (h/cr/sl)ackers  B-)

The Dr. Watsons hit when the attack came in, Snort would start and run fine
until the hit

Snort is just running in a Command Prompt (cmd.exe) instance. Not as as
Service

Ben Johansen www.pcforge.com


----- Original Message -----
From: "Joe McAlerney" <joey () SiliconDefense com>
To: <benj () intelisoft net>
Cc: "Snort-Users" <snort-users () lists sourceforge net>
Sent: Thursday, August 30, 2001 5:04 PM
Subject: Re: [Snort-users] FlexResp Running (I THINK!)



Mike Steele and I are going to spend some time tomorrow looking into
this, and other issues with the various Win32 builds.  We'll be sure to
report anything that comes out of our research, and hopefully get back
with some solutions.

Kind Regards,

-Joe M.

--
|   Joe McAlerney     joey () silicondefense com   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+

Ben Johansen wrote:


OK
on winnt 4.0 running running Snort_flexresp_181 from silicon defense.

NOTE: I have tried ; in the vars (like readme.flexresp states) same

problem


Vars in Config file
-----------------
# just stop the offender
var RESP_TCP resp:rst_snd

# also kill a possible local counterpart
var RESP_TCP_URG resp:rst_all

under web-iis.rules tried
-------------------------
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe
access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user;
sid:1002; rev:1; $RESP_TCP;)
- Dr. Watson

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe
access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user;
sid:1002; rev:1; $RESP_TCP_URG;)
- Dr. Watson

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe
access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user;
sid:1002; rev:1; resp:rst_all;)
- Dr. Watson

But when I used the React instead of the Response

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe
access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user;
sid:1002; rev:1; react:block;)

No Crash, and also no log entries in snort.log...
I am assuming this is a good thing, and snort is blocking the trafic

Any comments ;)

Ben Johansen - www.pcforge.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: