Snort mailing list archives
What am I Protecting Against?
From: "Roy S. Rapoport" <snort-users () ols inorganic org>
Date: Mon, 2 Jun 2003 17:42:20 -0700
Sorry, couldn't come up with something wittier. Now that I've got ACID running, I'm attempting to make sure I understand what alerts I'm seeing and why I'm seeing them. Obvious, ain't it? My goal is to get to the point that I log all things reasonably considered intrusions or recon, but to only alert on things that are actually threats -- in other words, I don't want to know at 2am that someone's trying to compromise my MS SQL Server, since it's running on UNIX and isn't MS SQL. Oh, and it's not available to the net :). So I'm trying to figure out what some rules are actually trying to protect me against; sometimes, there are references to actual docs that make this obvious; sometimes, the rule documentation covers it. However, some rules are still undocumented. So for example, I give you SID 1852: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt access"; flow:to_server,established; uricontent:"/robots.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; sid:1852; rev:3;) As I see it, this alerts you of any attempts by anyone to access /robots.txt on your HTTP server. So hey, maybe I'm an idiot, but why? Trying to get /robots.txt is a simple part of any search engine that spiders your site. _I_ don't see it as a security issue at all. Am I missing something? And, more generally, is there a way to find out, essentially, what the rule writer was thinking when they came up with the rule? -roy ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What am I Protecting Against? Roy S. Rapoport (Jun 02)
- Re: What am I Protecting Against? james (Jun 02)
- Re: What am I Protecting Against? Roy S. Rapoport (Jun 03)
- Re: What am I Protecting Against? james (Jun 03)
- Re: What am I Protecting Against? Roy S. Rapoport (Jun 03)
- Re: What am I Protecting Against? Nicholas Bachmann (Jun 04)
- <Possible follow-ups>
- RE: What am I Protecting Against? Wilcoxen, Scott (Jun 02)
- Re: What am I Protecting Against? james (Jun 02)