Snort mailing list archives
Curse of the cmd.exe
From: "Sam Evans" <sam () neuroflux com>
Date: Thu, 13 Jun 2002 18:27:30 -0600
I was wondering if there is any way to alter a signature (maybe by using the dynamic rules?) to have it record when a cmd.exe attempt on port 80 is followed by the server's 200 OK ? It seems pointless to me, to log 10,000 cmd.exe attempts from outside hosts, when you don't know what the actual outcome was.. Sure, you have to go to your webserver logs to find out the real result, but, with all the Nimda / Codered still going on.. That makes for a very long day of log searching. Does anyone have suggestions for a solution? Is there one? It seems like it should be really easy to do.. in theory.. Thanks, Sam _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Exploit? Michael Northup (Jun 13)
- Re: Exploit? (RCPT overflow) matt (Jun 13)
- Curse of the cmd.exe Sam Evans (Jun 13)
- Re: Curse of the cmd.exe Chris Keladis (Jun 14)
- RE: Curse of the cmd.exe Andy McLeod (Jun 17)
- RE: Exploit? Don (Jun 13)
- <Possible follow-ups>
- RE: Exploit? Hilton De Meillon (Jun 13)
- RE: Exploit? Michael Brown (Jun 17)