Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Should snort react this way?

From: "Ronneil Camara" <ronneilc () remingtonltd com>
Date: Fri, 4 Jan 2002 23:32:17 -0600
Hi to everyone on the list.

I would just like to confirm if snort should really behave this way. I configured
snort with flexresp. I added "resp: rst_all" on a rule in web-iis and attack-responses
rule that is related to cmd.exe and http dir listing.

I attacked my default installation of IIS server (unicode) then I was still able to
see the dir listings but snort, fortunately send a RST to both parties.

The parameter that I used was scripts/..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\+/s

My question is, why is it that I was still able to see a dir listing of about
30%-40% of the complete listing before my internet browser sensed a RST?

Thanks.

Neil

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: