RE: Making snort smarter...

[Paul Schmehl <pauls () utdallas edu>]

Sure.  All the web-iis.rules apply only to IIS.  Why would I want alerts 
for apache running on Solaris when the attack only works on IIS?

CodeRed, Nimda, etc. all only affect IIS.  Right now all my webservers 
alert for that stuff, when the only ones I care about are IIS servers.  An 
attacker can pound all day on an apache server looking for iissamples.  Why 
would I care?

--On Tuesday, April 29, 2003 10:49:20 AM -0500 bmcdowell () coxhealthplans com 
wrote:

> Not that I couldn't just look and find out for myself, but:
>
> Are there any 'web' rules that you want alerting for IIS servers?
>
> Obviously the reverse is the issue, but would such a fix break anything
> else?
>
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Paul
> Schmehl
> Sent: Tuesday, April 29, 2003 9:49 AM
> To: Jason Haar; snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Making snort smarter...
>
>
> Sure, I could do that, and then I'd have to cron it so that after
> oinkmaster replaces the rules they get fixed again.
>
> Wouldn't it be simpler to just incorporate this as a change to the
> ruleset?
> That way it's fixed for everyone.
>
> --On Tuesday, April 29, 2003 09:03:50 PM +1200 Jason Haar
> <Jason.Haar () trimble co nz> wrote:
>
> > Paul Schmehl wrote:
> > > For the specific example you give I think it would be entirely
> > > appropriate to create a var called "$IIS_SERVERS" and then put all
> the
> > > *other* webservers under $HTTP_SERVERS.  I've suggested this before,
> and
> > > I'd love to see it implemented in the rules, because IIS is a beast
> unto
> > > itself.
> >
> > Good idea - but as all IIS rules are within web-iis.rules, why not
> just
> > script a rewrite?
> >
> > echo "var IIS_SERVERS [1.2.3.4/32,2.3.4.1/32]"
> > sed 's/HTTP_SERVERS/IIS_SERVERS/g' web-iis.rules
> >
> >
> > Jason
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> Paul Schmehl (pauls () utdallas edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users