Snort mailing list archives
RE: Curse of the cmd.exe
From: "MOLLOY, Brendan, GCM" <Brendan.Molloy () gcm com>
Date: Fri, 14 Jun 2002 08:49:13 -0400
Sam Evans wrote:
I was wondering if there is any way to alter a signature (maybe by using the dynamic rules?) to have it record when a cmd.exe attempt on port 80 is followed by the server's 200 OK ?
Use URLSCAN on the web servers and block any URL with cmd.exe. You won't have to worry about the server giving a 200 OK. -Brendan -----Original Message----- From: Chris Keladis [mailto:Chris.Keladis () cmc cwo net au] Sent: Friday, June 14, 2002 5:30 AM To: Sam Evans; snort-users () lists sourceforge net Subject: Re: [Snort-users] Curse of the cmd.exe Sam Evans wrote:
I was wondering if there is any way to alter a signature (maybe by using the dynamic rules?) to have it record when a cmd.exe attempt on port 80 is followed by the server's 200 OK ? Does anyone have suggestions for a solution? Is there one? It seems like it should be really easy to do.. in theory..
I'd say you could use dynamic rules to achieve what you require, for now. Have a cmd.exe rule that chains to another rule which checks for a 200 OK from the webserver before it issues a final verdict on an alert. According to the Snort docs on www.snort.org it seems dynamic rules will be phased out in favour of 'rule tagging' which i'd guess explains why rule chaining isn't used much in the current Snort ruleset (just my assumption, anyway). Also the (upcoming) flow module might be of assistance to you here as well (http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.36). Snort v2.0 sounds very promising :-) Regards, Chris. _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ********************************************************************** This e-mail is intended only for the addressee named above. As this e-mail may contain confidential or privileged information, if you are not the named addressee, you are not authorised to retain, read, copy or disseminate this message or any part of it. ************************************************************************ ---------------------------------------------------------------------------- Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Curse of the cmd.exe Matt Yackley (Jun 14)
- <Possible follow-ups>
- RE: Curse of the cmd.exe Andreas Östling (Jun 15)
- RE: Curse of the cmd.exe MOLLOY, Brendan, GCM (Jun 17)
- RE: Curse of the cmd.exe M. Burnett (Jun 17)