Snort mailing list archives
Re: Testing Snort with Blade IDS Informer
From: Holger Mense <holger () project2501 de>
Date: Wed, 27 Apr 2005 22:39:54 +0200
Hello, I did some further research. * Holger Mense <holger () project2501 de>:
Now I have recently tested my snort sensor (using snort 2.3.2 and latest snort rules) with Blade Softwares IDS Informer demo version. However, I was a bit disappointed about the results. Besides the back orifice and the two portscan attempts, my sensor didn't detect anything else of the remaining 7 attacks provided by IDS Informer. In detail it didn't detect - TCP DNS Zone Transfer
As stated in another email in this thread, I am able to see UDP DNS Zone Transfer alerts from real DNS servers.
- IIS htr Buffer Overflow
After editing the rule "WEB-IIS ism.dll attempt" and changing 'uricontent:" .htr"' in 'uricontent:".htr"' I am able to see this attack.
- traceroute attempt
I have just checked my logs. I have already "ICMP traceroute" alerts in my logs. However my sensor does not detect the one from IDS Informer. So is any one here, who uses IDS Informer for testing his sensor? Is this person using the basic snort rule set (current version)? Thank you for your answers, Holger -- Holger Mense
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Testing Snort with Blade IDS Informer Holger Mense (Apr 27)
- Re: Testing Snort with Blade IDS Informer Paul Schmehl (Apr 27)
- Re: Testing Snort with Blade IDS Informer Holger Mense (Apr 27)
- Re: Testing Snort with Blade IDS Informer Holger Mense (Apr 27)
- Re: Testing Snort with Blade IDS Informer Paul Schmehl (Apr 27)