Snort mailing list archives
Re: Help with web servers
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 24 Feb 2003 15:08:39 -0500
At 08:54 PM 2/24/2003 +0100, Sébastien Bisoglio wrote:
Thanx for your answer I'll explain you.. I have two computer 1) The web server (192.168.1.10 in my network) 2) Firewall (and NAT) + SNORT (192.168.1.1 internal and 195.202.209.230 external) Snort is listening on external (195.202.209.230 = eth1)
In this scenario the IP that snort should see for your web server is 195.202.209.230
so: var HTTP_SERVERS [195.202.209.230/32] should theoretically work for you.
I have tested an unicode bug (iis security "bug") on an another pc on internet and access my web server via 195.202.209.230 IP address. but snort dont log them..
Ok that's the correct way to test it... Does snort catch other stuff from this source? Have you tried a simple "catch all" rule like this one?
alert tcp any any -> HTTP_SERVERS 80 (msg: "Test inbound http traffic detected",flow:to_server,established;sid:1000000;rev 1;)
Note: the above rule should be very noisy. Some other things to consider:is HTTP_PORTS set correctly? Note that despite the name HTTP_PORTS can not be a comma delimited list, it must be a single number, or a range, or a negation of a number or range.
Valid examples:
var HTTP_PORTS 80
var HTTP_PORTS [80:100]
Invalid, common mistake:
var HTTP_PORTS [80,8080]
Are you sure that there is a snort signature for the particular unicode bug
you tried?
Do you have the http preprocessor fully enabled, as such:preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
Sorry for my poor english but I'm french.
That's fine, I assumed you were a non native speaker, but based on your email address I had assumed you were Czech, not French.
THX
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help with web servers Sébastien Bisoglio (Feb 24)
- Re: Help with web servers Matt Kettler (Feb 24)
- Message not available
- Re: Help with web servers Matt Kettler (Feb 24)
- Message not available
- Re: Help with web servers Matt Kettler (Feb 24)