Snort mailing list archives

correlating alerts with action required

From: Mike Sapsara <msapsara () yahoo com>
Date: Fri, 26 Apr 2002 11:32:43 -0700 (PDT)

So I've got my snort sensor running, watching traffic
from the ISP.  A firewall limits ports and access to a
web server.  I log many 'accesses' or 'attempts' (from
the rule definitions) for all the various IIS
vulnerabilities.  I was curious about a rule in the
web-iis.rules file that was alerting me when someone
tried to access cmd.exe.  I went to the log on the IIS
server and found the event, and it returned a 404. 
Fine, good answer.  I know that system is patched and
up to date.

My fairly basic question is, how can you tell if (and
how) a host responded to one of these probes and is a
canidate for compromise ?

I am running 1.8.6, nothing fancy, just logging via
syslog.

Mike

__________________________________________________
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more
http://games.yahoo.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

correlating alerts with action required Mike Sapsara (Apr 26)
- <Possible follow-ups>
- RE: correlating alerts with action required Wirth, Jeff (Apr 26)