Snort mailing list archives
FlexResp I THINK II (the sequel)
From: "Ben Johansen" <benj () intelisoft net>
Date: Fri, 31 Aug 2001 10:36:29 -0700
Well, I guess the code reds weren't coming quite like clockwork, this morning with just the react in the one rule in "web-iis.rules" alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1; react:block;) I had a Dr. Watson and Snort had turned off. Ok Recap... -Win32_Snort_FlexResp_181 -WinPCap 2.2 -LibnetNT.dll in same directory as snort. (nothing done to register dll) -Start snort -> snort -c snort.cfg -l snort.log -o -No changes to conf file from plain Win32_Snort_181 except adding Flex Vars. -running from Command Prompt (cmd.exe not in path) I removed the React and started getting the code red hits in log? My ultimate goal is to start creating rules that will block the new JavaScript viruses starting to show up. Ben Johansen - www.pcforge.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FlexResp I THINK II (the sequel) Ben Johansen (Aug 31)