RE: Testing Snort

[Jody Gilbert <JDG () ovum com>]

Thanks for the tip, I have tried using content="/msadcs.dll", but I still
don't get any alerts.

Cheers,
Jody

-----Original Message-----
From: Charles Heselton [mailto:charles.heselton () gmail com] 
Sent: 02 August 2004 05:20
To: Jody Gilbert
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Testing Snort

----- Original Message -----
From: Jody Gilbert <jdg () ovum com>
Date: Sun, 1 Aug 2004 21:24:29 +0100
Subject: [Snort-users] Testing Snort
To: snort-users () lists sourceforge net

 

Hello All, 

I have just installed snort for the first time and am trying to test
it from my PC.

I am having trouble testing the web-iis rules. 

I have tried accessing /msadcs.dll and /cmd.exe on some of the web
servers on our LAN, but no alerts are created by snort.

I added the following rule Snort as a test, which produced plenty of alerts:


alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Test WEB-IIS";
flow:to_server; sid:1970; rev:6;)

However, when I add 'uricontent:"/msadcs.dll"; nocase;' to the above
rule I do not get any alerts.

I am new to Snort, so I imagine (hope) it's something pretty simple. 

Can anyone point me in the right direction? 

I am running Snort 2.1.3 on a Windows XP PC. 

Cheers, 

Jody 
 

-------------------------------------------------------------------------
  
 Jody Gilbert
 IT Manager
  

Taken from the Snort User's Guide (available for download/reading at
www.snort.org):
 
The uricontent parameter in the snort rule language searches the
NORMALIZED request URI field. This means that if you are writing rules
that include things that are normalized, such as %2f or directory
traversals, these rules will not alert. The reason is that the things
you are looking for are normalized out of the URI buffer.


Try using the "content" directive, instead of the "uricontent"
directive.  I believe the types of events that you are trying to
detect would be classified as directory traversals, even though you
are looking for specific strings.

-- 
Charlie Heselton
Network Security Engineer


*************** NOTICE & DISCLAIMER *************************

This email and any files transmitted with it are confidential and will be protected by copyright and are for the 
attention of the addressee only.  This email may also be privileged.

If you have received this email in error please notify us by email reply and delete it from your system.  
You may not copy this message or disclose its contents to anyone.  Any views or opinions presented in this email are 
solely those of the author and do not necessarily represent those of Ovum.  Ovum accepts no liability for the content 
of this email, or for the consequences of any actions taken on the basis of the information provided, unless you are 
the intended recipient and such liability accords with Ovum's Terms and Conditions of Business.  

If you are not the intended recipient, please note that disclosing, copying, distributing or taking any action in 
reliance on the contents of this information is strictly prohibited.

Ovum accepts no liability for any damage caused by any virus transmitted by this email. 

Registered Office: Ovum Holdings Limited, Cardinal Tower, 12 Farringdon Road, London EC1M 3HS, United Kingdom

*******************************************************************



-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users