Re: RE: How to Triggering Windows Exploits?

[ids () san rr com]

Hi Joshua,

Your answer is a little bit different from what I was asking. Let me elaborate a little. Are the rules written in a way 
that requires a targeted computer have to respond to an attack or something of that nature for Snort to issue an alert. 
I have yet to see my Snort sensor alert me to any MS exploits (various network worms such as Sasser, blaster...etc) . I 
assumed the reason for this was because there are no Windows PC connected to the network Snort is sensing on. Another 
test I ran to see if Snort would issue an alert was the Cisco exploits. I do not have any Cisco devices on my network 
but I attempted to trigger an alert my hitting an IP on the protected network with the PERL script. No alerts. Do I 
have to have the appropriate Cisco deivce to trigger the alert? Just a side note I'm using the most current rules for 
Snort (inluding the rules to detect the Cisco exploits) for testing and information gathering.


Any help on this I would greatly appreciate!


Alan

----- Original Message -----
From: Joshua Berry <jberry () PENSON COM>
Date: Tuesday, May 25, 2004 1:39 pm
Subject: RE: [Snort-users] How to Triggering Windows Exploits?

> Snort will not verify OS or Services running on the target machine
> unless you patch it with something like the Attack Verification patch
> that uses Nessus to verify actual vulnerabilities of the target.
>
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [snort-users-admin () lists sourceforge net] On Behalf Of
> ids () san rr com
> Sent: Tuesday, May 25, 2004 2:46 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] How to Triggering Windows Exploits?
>
> Hi everyone-
>
>
> I have a simple question. Is it true that some Snort alerts are only
> triggered if the target computer is vulnerable to that attack? To 
> be a
> little more specific... if an attacks targets an exploit in 
> Windows 2000
> and I only have Linux running in my network will Snort alert me to 
> thoseWindows attacks? The reason I ask is because I have a Snort 
> sensordetecting detecting attacks against a Linux box running 
> Apache. I
> noticed that the only attacks I detect are SQL, HTTP and Linux 
> related.About a week ago for a brief time an associate put a 
> Windows 2k box off
> of the hub and I started to get hit with these Alerts I had never seen
> before (MS Exploits). I want to capture more data on the amount of
> exploits attacks on Windows and was wondering for me to gather 
> that data
> would I have to have a Windows computer on the network Snort is 
> sensing?Thanks in advance!
>
>
> Alan     
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... 
> Oracle 10g.
>
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users