RE: Snort "detect_scan" Bypass Alert

["Kalteis, Nico (Contractor)" <Nico.Kalteis () ed gov>]

That certainly makes sense, but at one point I even made a completely
stripped down version of the cnort.conf file that looked simply like this:

var HOME_NET any
var EXTERNAL_NET any
var HTTP_SERVERS any
var HTTP_PORTS any
output alert_syslog: LOG_AUTH LOG_ALERT
output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128
include c:\snort\etc\classification.config
include c:\snort\etc\reference.config
# alert tcp any any -> any any
alert tcp any any -> any any (msg:"WEB-IIS cmd.exe access";
content:"cmd.exe"; nocase;)

And that one didn't specify ANY preprocessors and STILL didn't log anything.
By the way, the way I am trying to trigger this rule, which has always
worked before, is to open a browser on another machine and typing
http://ipaddr_of_snort_machine/cmd.exe

Thanks for being so patient with me.  And I'll go try what you said anyway
:-)

Nico



-----Original Message-----
From: Erek Adams [mailto:erek () snort org]
Sent: Friday, March 28, 2003 3:01 PM
To: Jose Ramon Hernandez Macias
Cc: snort-users () lists sourceforge net; erek () snort org
Subject: Re: [Snort-users] Snort "detect_scan" Bypass Alert


On Fri, 28 Mar 2003, Jose Ramon Hernandez Macias wrote:

> Just a question, that article suggests deleting the "detect_scans"
> option in the stream4 preprocessor in snort 1.9.1, if I do that I´m
> gonna lose every Stealth Scan detection like STEALTH ACTIVITY (Vecna
> scan) detection, STEALTH ACTIVITY (Xmas scan) detection, etc. right? So,
> I´m gonna lose all those detections if I delete that option?
>
> Maybe it is better to be sure that those kinds of packets are filtered
> on the border router/firewall instead of removing all the stealth
> detections from stream4 right?

If you remove the detect_scans option from stream4, then it will not have
the ability to detect scans.  :)  You can enable one of the two portscan
preprocessors and use them if you wish.

As for dropping traffic....  Just like with any other traffic.  Better
make sure what traffic you have that might have those flags (if any).
Just your luck, you'd drop something important w/o knowing it....  I know
_I_ did--Once.  :)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users