Snort mailing list archives
correlating alerts with action required
From: Mike Sapsara <msapsara () yahoo com>
Date: Fri, 26 Apr 2002 11:32:43 -0700 (PDT)
So I've got my snort sensor running, watching traffic from the ISP. A firewall limits ports and access to a web server. I log many 'accesses' or 'attempts' (from the rule definitions) for all the various IIS vulnerabilities. I was curious about a rule in the web-iis.rules file that was alerting me when someone tried to access cmd.exe. I went to the log on the IIS server and found the event, and it returned a 404. Fine, good answer. I know that system is patched and up to date. My fairly basic question is, how can you tell if (and how) a host responded to one of these probes and is a canidate for compromise ? I am running 1.8.6, nothing fancy, just logging via syslog. Mike __________________________________________________ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- correlating alerts with action required Mike Sapsara (Apr 26)
- <Possible follow-ups>
- RE: correlating alerts with action required Wirth, Jeff (Apr 26)