Snort mailing list archives
RE: Snort "detect_scan" Bypass Alert
From: "Kalteis, Nico (Contractor)" <Nico.Kalteis () ed gov>
Date: Fri, 28 Mar 2003 15:14:21 -0500
That certainly makes sense, but at one point I even made a completely stripped down version of the cnort.conf file that looked simply like this: var HOME_NET any var EXTERNAL_NET any var HTTP_SERVERS any var HTTP_PORTS any output alert_syslog: LOG_AUTH LOG_ALERT output alert_unified: filename snort.alert, limit 128 # output log_unified: filename snort.log, limit 128 include c:\snort\etc\classification.config include c:\snort\etc\reference.config # alert tcp any any -> any any alert tcp any any -> any any (msg:"WEB-IIS cmd.exe access"; content:"cmd.exe"; nocase;) And that one didn't specify ANY preprocessors and STILL didn't log anything. By the way, the way I am trying to trigger this rule, which has always worked before, is to open a browser on another machine and typing http://ipaddr_of_snort_machine/cmd.exe Thanks for being so patient with me. And I'll go try what you said anyway :-) Nico -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Friday, March 28, 2003 3:01 PM To: Jose Ramon Hernandez Macias Cc: snort-users () lists sourceforge net; erek () snort org Subject: Re: [Snort-users] Snort "detect_scan" Bypass Alert On Fri, 28 Mar 2003, Jose Ramon Hernandez Macias wrote:
Just a question, that article suggests deleting the "detect_scans" option in the stream4 preprocessor in snort 1.9.1, if I do that I´m gonna lose every Stealth Scan detection like STEALTH ACTIVITY (Vecna scan) detection, STEALTH ACTIVITY (Xmas scan) detection, etc. right? So, I´m gonna lose all those detections if I delete that option? Maybe it is better to be sure that those kinds of packets are filtered on the border router/firewall instead of removing all the stealth detections from stream4 right?
If you remove the detect_scans option from stream4, then it will not have the ability to detect scans. :) You can enable one of the two portscan preprocessors and use them if you wish. As for dropping traffic.... Just like with any other traffic. Better make sure what traffic you have that might have those flags (if any). Just your luck, you'd drop something important w/o knowing it.... I know _I_ did--Once. :) Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort "detect_scan" Bypass Alert SecurityAdmin (Mar 28)
- <Possible follow-ups>
- Snort "detect_scan" Bypass Alert Jose Ramon Hernandez Macias (Mar 28)
- Re: Snort "detect_scan" Bypass Alert Erek Adams (Mar 28)
- RE: Snort "detect_scan" Bypass Alert SecurityAdmin (Mar 28)
- RE: Snort "detect_scan" Bypass Alert Kalteis, Nico (Contractor) (Mar 28)
- RE: Snort "detect_scan" Bypass Alert Kalteis, Nico (Contractor) (Mar 28)