Snort mailing list archives
Re: Testing Snort
From: Charles Heselton <charles.heselton () gmail com>
Date: Mon, 2 Aug 2004 04:19:48 +0000
----- Original Message ----- From: Jody Gilbert <jdg () ovum com> Date: Sun, 1 Aug 2004 21:24:29 +0100 Subject: [Snort-users] Testing Snort To: snort-users () lists sourceforge net Hello All, I have just installed snort for the first time and am trying to test it from my PC. I am having trouble testing the web-iis rules. I have tried accessing /msadcs.dll and /cmd.exe on some of the web servers on our LAN, but no alerts are created by snort. I added the following rule Snort as a test, which produced plenty of alerts: alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Test WEB-IIS"; flow:to_server; sid:1970; rev:6;) However, when I add 'uricontent:"/msadcs.dll"; nocase;' to the above rule I do not get any alerts. I am new to Snort, so I imagine (hope) it's something pretty simple. Can anyone point me in the right direction? I am running Snort 2.1.3 on a Windows XP PC. Cheers, Jody ------------------------------------------------------------------------- Jody Gilbert IT Manager Taken from the Snort User's Guide (available for download/reading at www.snort.org): The uricontent parameter in the snort rule language searches the NORMALIZED request URI field. This means that if you are writing rules that include things that are normalized, such as %2f or directory traversals, these rules will not alert. The reason is that the things you are looking for are normalized out of the URI buffer. Try using the "content" directive, instead of the "uricontent" directive. I believe the types of events that you are trying to detect would be classified as directory traversals, even though you are looking for specific strings. -- Charlie Heselton Network Security Engineer ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Testing Snort Jody Gilbert (Aug 01)
- Re: Testing Snort Charles Heselton (Aug 01)
- <Possible follow-ups>
- RE: Testing Snort Jody Gilbert (Aug 02)
- RE: Testing Snort Joshua Berry (Aug 02)
- RE: Testing Snort Jody Gilbert (Aug 02)
- RE: Testing Snort Jody Gilbert (Aug 02)