RE: FlexResp Running (I THINk!)

["Ben Johansen" <benj () intelisoft net>]

Well, I guess the code reds weren't coming quite like clockwork, this
morning with just the react in the one rule in "web-iis.rules"

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe
access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user;
sid:1002; rev:1; react:block;)

I had a Dr. Watson and Snort had turned off.

Ok Recap...
-Win32_Snort_FlexResp_181
-WinPCap 2.2
-LibnetNT.dll in same directory as snort. (nothing done to register dll)
-Start snort -> snort -c snort.cfg -l snort.log -o
-No changes to conf file from plain Win32_Snort_181 except adding Flex Vars.
-running from Command Prompt (cmd.exe not in path)

I removed the React and started getting the code red hits in log?

My ultimate goal is to start creating rules that will block the new
JavaScript viruses starting to show up.

Ben Johansen - www.pcforge.com



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users