Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: flexresp question/help

From: Phil Wood <cpw () lanl gov>
Date: Tue, 18 Dec 2001 16:44:00 -0700
If I were to:

  telnet 65.192.117.70 80

and type

  scripts/root.exe?

Would that be sufficent?

You could set up a tcpdump and watch for any traffic from net 128.165. and
see if a RST or some such were sent to your server and to net 128.165.

I might have your server address wrong.

Let's do it!

On Tue, Dec 18, 2001 at 05:21:01PM -0600, Ronneil Camara wrote:

I have just rebuilt my snort with flexresp.

I actually edited one rule in web-iis.rules.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (resp: rst_all;
msg:"WEB-IIS CodeRed v2 root.exe access"; flags: A+;
uricontent:"scripts/root.
exe?"; nocase; classtype:web-application-attack; sid: 1256; rev:2;)

How will I know if this is working?

Neil

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list


-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: