RE: Curse of the cmd.exe

["M. Burnett" <mburnett () xato net>]

Here are some additional attack response strings I use when watching
IIS web servers.

c:\winnt
c:\inetpub
Microsoft Windows 2000 [Version 5.00.2195]
command completed successfully
The system cannot find the path specified.
File Not Found
Bad command or filename
is not recognized as an internal or external command
Sub Application_OnStart   (tells you if someone views global.asa)

I also make the following changes to attack-responses.rules
change "1 file(s) copied" to "file(s) copied"
change "Index of /cgi-bin/" to "Index of /"


Mark Burnett
www.xato.net



On Fri, 14 Jun 2002 08:14:45 -0500, Matt Yackley wrote:
> Not sure about the dynamic rules, but a simpler form is the attack
> response rules, but it may not be what you are looking for...here is
> the rule to see if a "dir" command was succesful from a web server:
> alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"ATTACK
> RESPONSES directory listing"; content:"Directory of"; nocase;
> flags:A+;
> flow:from_server; classtype:unknown; sid:496; rev:4;)
>
> It doesn't tie in that close to the attempts but, you could just
> watch for the attack response alerts instead of worrying to much
> about the cmd.exe type alerts.
>
> Matt
>
> -----Original Message-----
> From: Sam Evans [mailto:sam () neuroflux com]
> Sent: Thursday, June 13, 2002 7:28 PM To: snort
> -users () lists sourceforge net Subject: [Snort-users] Curse of the
> cmd.exe
>
>
> I was wondering if there is any way to alter a signature (maybe by
> using the dynamic rules?) to have it record when a cmd.exe attempt
> on port 80 is followed by the server's 200 OK ?
>
> It seems pointless to me, to log 10,000 cmd.exe attempts from
> outside hosts, when you don't know what the actual outcome was..
> Sure, you have to go to your webserver logs to find out the real
> result, but, with all the Nimda / Codered still going on..   That
> makes for a very long day of log searching.
>
> Does anyone have suggestions for a solution?  Is there one?  It
> seems like it should be really easy to do.. in theory..
>
> Thanks, Sam
>
>
>
> _______________________________________________________________
>
> Don't miss the 2002 Sprint PCS Application Developer's Conference
> August 25-28 in Las Vegas -
> http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink
>
> _______________________________________________ Snort-users mailing
> list Snort-users () lists sourceforge net Go to this URL to change user
> options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
> list archive: http://www.geocrawler.com/redir-sf.php3?list=snort
> -users
>
> _______________________________________________________________
>
> Don't miss the 2002 Sprint PCS Application Developer's Conference
> August 25-28 in Las Vegas -
> http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink
>
> _______________________________________________ Snort-users mailing
> list Snort-users () lists sourceforge net Go to this URL to change user
> options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
> list archive: http://www.geocrawler.com/redir-sf.php3?list=snort
> -users






----------------------------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                      >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users