Snort mailing list archives
MS12-063 Rule Triggering
From: "Kochen, Joe" <joe.kochen () americo com>
Date: Wed, 12 Dec 2012 22:45:48 +0000
Let me start this off with saying I'm a relative noob when it comes to analyzing rules and exactly how they are getting triggered. I'm not sure the best avenue on going about asking this question so bear with me. \\ With that said I have the MS12-063 rule enabled, I can successfully exploit this vulnerability on the monitored network going through the sensors (using the standard metasploit module). However an event/alert never triggers. The sensors appear to be catching other misc things (just in case it was an overall problem with the sensor). I've taken a packet capture of the traffic and found all the keywords in the rule in the tcp stream, I haven't drilled down far enough to actually be sure that all the other parameters would allow for the rule to trigger. I imagine the issue could lie in many different places, but are there any specific global configuration settings that might make this happen? Where would I want to start looking? Please note that I'm using the Sourcefire 3D sensors with a defense center. Appreciate it, Joe This email, including any attachments, is intended for the person(s) or company to whom it is addressed and may contain confidential and/or legally privileged information. If you are not the intended recipient, please be advised that you have received this message in error and that unauthorized disclosure, forwarding, printing or copying of this information is strictly prohibited and may be unlawful. Please notify the sender immediately, either at the original sender's email address, or by calling 1-800-231-0801. For all other questions please contact the company operator at (816) 391-2700.
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- MS12-063 Rule Triggering Kochen, Joe (Dec 13)
- Re: MS12-063 Rule Triggering JJC (Dec 13)