Snort mailing list archives

Re: Snort not detecting MS08-067

From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 23 Oct 2013 10:12:50 -0600

On 2013-10-23 09:59, Jeremy Hoel wrote:

We need to know what your config is.  The rules are there, they are 
in
the rule tgz.  do you see them in your rules file?  Are they enabled?
what are your variables set too?  Do you see the traffic with 
tcpdump?

Troubleshooting questions..

On Wed, Oct 23, 2013 at 3:18 PM, LaTonya Hall <lhall () vahna net> 
wrote:

Any word on this?


On Oct 22, 2013, at 12:46 PM, LaTonya Hall <lhall () vahna net> wrote:

Not detecting PI callbacks either.
On Oct 22, 2013, at 12:04 PM, Joel Esler <jesler () sourcefire com> 
wrote:

On Oct 22, 2013, at 10:11 AM, LaTonya Hall <lhall () vahna net> wrote:

Any ideas??
Using the latest rule set and Metasploit Framework Version: 
4.6.0-dev.


Can you share a pcap for what you are trying to detect here?  I know 
we
cover that one, since we catch it in the wild every day.

--
Joel Esler
AEGIS Intelligence Lead
OpenSource Community Manager
Vulnerability Research Team, Sourcefire


There is currently one snort VRT rule (that I could find) that mentions 
MS08-067 that starts with:

alert tcp $EXTERNAL_NET any -> $HOME_NET...

So if you're scanning FROM $HOME_NET TO $HOME_NET, you're not going to 
see anything.

James

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort not detecting MS08-067 LaTonya Hall (Oct 22)
- Re: Snort not detecting MS08-067 rmkml (Oct 22)
- Re: Snort not detecting MS08-067 Joel Esler (Oct 22)
  - Re: Snort not detecting MS08-067 LaTonya Hall (Oct 22)
    - Re: Snort not detecting MS08-067 LaTonya Hall (Oct 23)
    - Re: Snort not detecting MS08-067 Jeremy Hoel (Oct 23)
    - Re: Snort not detecting MS08-067 James Lay (Oct 23)
    - Re: Snort not detecting MS08-067 LaTonya Hall (Oct 23)
  - Re: Snort not detecting MS08-067 LaTonya Hall (Oct 30)
    - Re: Snort not detecting MS08-067 Joel Esler (Oct 23)