Snort mailing list archives
Re: WEB-CGI calendar access and DDOS mstream handler to client
From: Wynn Fenwick <wfenwick () FHLSim com>
Date: Thu, 14 Mar 2002 19:44:53 -0500
Hello Goutam, If you are running Snort on trangress web access you will find that the mstream rule FP's a lot. I have my client set up to write pass rules for as specific as possible matching, so as to not create a false negative situation. We don't remove rules. This might be a performance dog, but we aren't worried about that as much as a solid process for minimizing false negatives. We do not modify the snort rules provided by snort.org except by pass. This also makes it easier to see what "blind spots" the local admins have introduced. As far as WEB-CGI goes, you can research this attack, but I beleive it's a vulnerable script in a calendaring tool (can't remember the author/vendor). Some of the rules cut a pretty wide swath so you may need to reduce their scope through some pass rules. W
Subject: [Snort-users] WEB-CGI calendar access and DDOS mstream handler to client Date: Thu, 14 Mar 2002 10:57:09 -0800 (PST) From: Goutam Dastider <gdastider1 () yahoo com> To: snort-users () lists sourceforge net We are running Snort 1.8.3 in windwos 2k and we getting lot of alert for web WEB-CGI calendar access (65%) DDOS mstream handler to client (2%) WEB-ATTACKS rm command attempt (2%) WEB-ATTACKS id command attempt (2%) We want to know how to prevent this kind of attacks if this are not harmful how I will stop this alerts. Thanks Goutam Dastider
Current thread:
- Re: WEB-CGI calendar access and DDOS mstream handler to client Wynn Fenwick (Mar 14)