Snort mailing list archives
Re: Curse of the cmd.exe
From: Chris Keladis <Chris.Keladis () cmc cwo net au>
Date: Fri, 14 Jun 2002 19:30:20 +1000
Sam Evans wrote:
I was wondering if there is any way to alter a signature (maybe by using the dynamic rules?) to have it record when a cmd.exe attempt on port 80 is followed by the server's 200 OK ?
>
Does anyone have suggestions for a solution? Is there one? It seems like it should be really easy to do.. in theory..
I'd say you could use dynamic rules to achieve what you require, for now.Have a cmd.exe rule that chains to another rule which checks for a 200 OK from the webserver before it issues a final verdict on an alert.
According to the Snort docs on www.snort.org it seems dynamic rules will be phased out in favour of 'rule tagging' which i'd guess explains why rule chaining isn't used much in the current Snort ruleset (just my assumption, anyway).
Also the (upcoming) flow module might be of assistance to you here as well (http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.36).
Snort v2.0 sounds very promising :-) Regards, Chris. _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Exploit? Michael Northup (Jun 13)
- Re: Exploit? (RCPT overflow) matt (Jun 13)
- Curse of the cmd.exe Sam Evans (Jun 13)
- Re: Curse of the cmd.exe Chris Keladis (Jun 14)
- RE: Curse of the cmd.exe Andy McLeod (Jun 17)
- RE: Exploit? Don (Jun 13)
- <Possible follow-ups>
- RE: Exploit? Hilton De Meillon (Jun 13)
- RE: Exploit? Michael Brown (Jun 17)