Re: Curse of the cmd.exe

[Chris Keladis <Chris.Keladis () cmc cwo net au>]

Sam Evans wrote:

> I was wondering if there is any way to alter a signature (maybe by using the
> dynamic rules?) to have it record when a cmd.exe attempt on port 80 is
> followed by the server's 200 OK ?
>
> Does anyone have suggestions for a solution?  Is there one?  It seems like
> it should be really easy to do.. in theory..

I'd say you could use dynamic rules to achieve what you require, for now.

Have a cmd.exe rule that chains to another rule which checks for a 200 
OK from the webserver before it issues a final verdict on an alert.

According to the Snort docs on www.snort.org it seems dynamic rules will 
be phased out in favour of 'rule tagging' which i'd guess explains why 
rule chaining isn't used much in the current Snort ruleset (just my 
assumption, anyway).

Also the (upcoming) flow module might be of assistance to you here as 
well (http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.36).

Snort v2.0 sounds very promising :-)




Regards,

Chris.


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users