Re: WEB-CGI calendar access and DDOS mstream handler to client

[Wynn Fenwick <wfenwick () FHLSim com>]

Hello Goutam,

If you are running Snort on trangress web access you will find that the
mstream rule FP's a lot.

I have my client set up to write pass rules for as specific as possible
matching, so as to not create a false negative situation. We don't
remove rules. This might be a performance dog, but we aren't worried
about that as much as a solid process for minimizing false negatives.

We do not modify the snort rules provided by snort.org except by pass.
This also makes it easier to see what "blind spots" the local admins
have introduced.

As far as WEB-CGI goes, you can research this attack, but I beleive it's
a vulnerable script in a calendaring tool (can't remember the
author/vendor). Some of the rules cut a pretty wide swath so you may
need to reduce their scope through some pass rules.

W


> Subject: [Snort-users] WEB-CGI calendar access and DDOS mstream handler to client
>
> Date: Thu, 14 Mar 2002 10:57:09 -0800 (PST)
> From: Goutam Dastider <gdastider1 () yahoo com>
> To: snort-users () lists sourceforge net
>
> We are running Snort 1.8.3 in windwos 2k and we getting lot of alert
> for web
>
> WEB-CGI calendar access (65%)
>
> DDOS mstream handler to client (2%)
>
> WEB-ATTACKS rm command attempt   (2%)
>
> WEB-ATTACKS id command attempt    (2%)
>
> We want to know how to prevent this kind of attacks if this are not
> harmful how I will stop this alerts.
>
> Thanks
>
> Goutam Dastider