Snort mailing list archives
RE: FlexResp Running (I THINk!)
From: "Ben Johansen" <benj () intelisoft net>
Date: Fri, 31 Aug 2001 09:52:43 -0700
Well, I guess the code reds weren't coming quite like clockwork, this morning with just the react in the one rule in "web-iis.rules" alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1; react:block;) I had a Dr. Watson and Snort had turned off. Ok Recap... -Win32_Snort_FlexResp_181 -WinPCap 2.2 -LibnetNT.dll in same directory as snort. (nothing done to register dll) -Start snort -> snort -c snort.cfg -l snort.log -o -No changes to conf file from plain Win32_Snort_181 except adding Flex Vars. -running from Command Prompt (cmd.exe not in path) I removed the React and started getting the code red hits in log? My ultimate goal is to start creating rules that will block the new JavaScript viruses starting to show up. Ben Johansen - www.pcforge.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FlexResp Running (I THINK!) Ben Johansen (Aug 30)
- Re: FlexResp Running (I THINK!) Joe McAlerney (Aug 30)
- Re: FlexResp Running (I THINK!) Ben Johansen (Aug 30)
- Re: FlexResp Running (I THINK!) Skip Carter (Aug 30)
- <Possible follow-ups>
- RE: FlexResp Running (I THINK!) Burleson, Lee (IA) (Aug 31)
- RE: FlexResp Running (I THINK!) Michael Davis (Aug 31)
- RE: FlexResp Running (I THINk!) Ben Johansen (Aug 31)
- Re: FlexResp Running (I THINK!) Joe McAlerney (Aug 30)