Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Regarding web-iis rule NOT triggering

From: Ashley Thomas <athomas () cc gatech edu>
Date: Tue, 10 Jun 2003 15:59:39 -0400 (EDT)
The concerned rule is

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase;
classtype:web-application-attack; sid:1002;  rev:5;)

I am wondering why the rule is not triggered for the following pkt:

06:50:06.369340 A.B.194.106.4843 > X.Y.134.191.http: P 0:73(73) ack
1 win17520 (DF)
0x0000   4500 0071 8097 4000 7206 8395 aabb c26a        E..q..@.r......j
0x0010   xxyy 86bf 12eb 0050 7030 eb11 5336 c93d        .......Pp0..S6.=
0x0020   5018 4470 b2c0 0000 4845 4144 202f 5f6d        P.Dp....HEAD./_m
0x0030   656d 5f62 696e 2f2e 2e2f 2e2e 2f2e 2e2f        em_bin/../../../
0x0040   2e2e 2f77 696e 6e74 2f73 7973 7465 6d33        ../winnt/system3
0x0050   322f 636d 642e 6578 653f 2f63 2b64 6972        2/cmd.exe?/c+dir
0x0060   2063 3a5c 205c 2048 5454 502f 312e 300a        .c:\.\.HTTP/1.0.
0x0070   0a                                             .

- I am using the snort.2.0.0 downloaded just now from snort.org.

The snort.conf had -
#This rule file has the above rule
include $RULE_PATH/web-iis.rules

EXTERNAL_NET -> any
HOME_NET -> any
HTTP_PORTS -> 80
stream4 is enabled.
Also, I am running snort offline reading from a tcpdump file.

Note that no alerts were in fact generated, so it is not due to the fact
that the packet triggered some other alert.. (first exit)

Thanks a lot !




                        -Ashley Thomas (athomas () cc gatech edu)


-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: