RE: Curse of the cmd.exe

["MOLLOY, Brendan, GCM" <Brendan.Molloy () gcm com>]

Sam Evans wrote:

> I was wondering if there is any way to alter a signature (maybe by 
> using the dynamic rules?) to have it record when a cmd.exe attempt on 
> port 80 is followed by the server's 200 OK ?

Use URLSCAN on the web servers and block any URL with cmd.exe.  You won't
have to worry about the server giving a 200 OK.

-Brendan


-----Original Message-----
From: Chris Keladis [mailto:Chris.Keladis () cmc cwo net au] 
Sent: Friday, June 14, 2002 5:30 AM
To: Sam Evans; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Curse of the cmd.exe


Sam Evans wrote:

> I was wondering if there is any way to alter a signature (maybe by 
> using the dynamic rules?) to have it record when a cmd.exe attempt on 
> port 80 is followed by the server's 200 OK ?
>
> Does anyone have suggestions for a solution?  Is there one?  It seems 
> like it should be really easy to do.. in theory..

I'd say you could use dynamic rules to achieve what you require, for now.

Have a cmd.exe rule that chains to another rule which checks for a 200 
OK from the webserver before it issues a final verdict on an alert.

According to the Snort docs on www.snort.org it seems dynamic rules will 
be phased out in favour of 'rule tagging' which i'd guess explains why 
rule chaining isn't used much in the current Snort ruleset (just my 
assumption, anyway).

Also the (upcoming) flow module might be of assistance to you here as 
well (http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.36).

Snort v2.0 sounds very promising :-)




Regards,

Chris.


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference August
25-28 in Las Vegas -
http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


**********************************************************************
This e-mail is intended only for the addressee named above.
As this e-mail may contain confidential or privileged information,
if you are not the named addressee, you are not authorised to
retain, read, copy or disseminate this message or any part of it.
************************************************************************
 

----------------------------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                      >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users