Snort mailing list archives
RE: Curse of the cmd.exe
From: Andreas Östling <andreaso () it su se>
Date: Sat, 15 Jun 2002 16:45:36 +0200 (CEST)
Sam Evans wrote:
It seems pointless to me, to log 10,000 cmd.exe attempts from outside hosts, when you don't know what the actual outcome was.. Sure, you have to go to your webserver logs to find out the real result, but, with all the Nimda / Codered still going on.. That makes for a very long day of log searching.
There are a few excellent "attack response" rules among the official Snort rules which you could focus on. (And as always, it's easy to write your own.) I'm not sure I agree that logging those 10,000 cmd.exe attempts are always pointless though. At least my experience is that when you catch a successful intrusion, even those alerts (to/from the involved hosts) that you would normally classify as false positives can be invaluable and give a better view of a larger picture. Personally I prefer to have snort and other tools collect as much possibly hostile activities as possible and then look for the best/worst stuff myself by post-processing the logs using SnortSnarf/ACID/grep etc. I wrote a really ugly little perl script a while ago to help me combining attacks with attack responses by parsing an alert file, just as a test to se if it would be useful. It's really simple - if there is an alert from a.a.a.a:x -> b.b.b.b:y and then an alert from b.b.b.b:y -> a.a.a.a:x there is a darn good chance that they are related, so "generate an alert". You can also define what is a bad answer (host vulnerable) or good answer (host not vulnerable). This is obiously too simple to be really useful in the real world but could be extended in many ways. An example from a real-life alert file: http://people.su.se/~andreaso/misc/istest.html I never finished it and probably never will, but I still like the idea. Has anyone made something similar? Or planning to? Hopefully it will be much better than my attempt :) Regards, Andreas Östling _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Curse of the cmd.exe Matt Yackley (Jun 14)
- <Possible follow-ups>
- RE: Curse of the cmd.exe Andreas Östling (Jun 15)
- RE: Curse of the cmd.exe MOLLOY, Brendan, GCM (Jun 17)
- RE: Curse of the cmd.exe M. Burnett (Jun 17)