Snort mailing list archives
Regarding web-iis rule NOT triggering
From: Ashley Thomas <athomas () cc gatech edu>
Date: Tue, 10 Jun 2003 15:59:39 -0400 (EDT)
The concerned rule is alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:5;) I am wondering why the rule is not triggered for the following pkt: 06:50:06.369340 A.B.194.106.4843 > X.Y.134.191.http: P 0:73(73) ack 1 win17520 (DF) 0x0000 4500 0071 8097 4000 7206 8395 aabb c26a E..q..@.r......j 0x0010 xxyy 86bf 12eb 0050 7030 eb11 5336 c93d .......Pp0..S6.= 0x0020 5018 4470 b2c0 0000 4845 4144 202f 5f6d P.Dp....HEAD./_m 0x0030 656d 5f62 696e 2f2e 2e2f 2e2e 2f2e 2e2f em_bin/../../../ 0x0040 2e2e 2f77 696e 6e74 2f73 7973 7465 6d33 ../winnt/system3 0x0050 322f 636d 642e 6578 653f 2f63 2b64 6972 2/cmd.exe?/c+dir 0x0060 2063 3a5c 205c 2048 5454 502f 312e 300a .c:\.\.HTTP/1.0. 0x0070 0a . - I am using the snort.2.0.0 downloaded just now from snort.org. The snort.conf had - #This rule file has the above rule include $RULE_PATH/web-iis.rules EXTERNAL_NET -> any HOME_NET -> any HTTP_PORTS -> 80 stream4 is enabled. Also, I am running snort offline reading from a tcpdump file. Note that no alerts were in fact generated, so it is not due to the fact that the packet triggered some other alert.. (first exit) Thanks a lot ! -Ashley Thomas (athomas () cc gatech edu) ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Regarding web-iis rule NOT triggering Ashley Thomas (Jun 10)