Snort mailing list archives
RE: Curse of the cmd.exe
From: "M. Burnett" <mburnett () xato net>
Date: Fri, 14 Jun 2002 11:08:20 -0600
Here are some additional attack response strings I use when watching IIS web servers. c:\winnt c:\inetpub Microsoft Windows 2000 [Version 5.00.2195] command completed successfully The system cannot find the path specified. File Not Found Bad command or filename is not recognized as an internal or external command Sub Application_OnStart (tells you if someone views global.asa) I also make the following changes to attack-responses.rules change "1 file(s) copied" to "file(s) copied" change "Index of /cgi-bin/" to "Index of /" Mark Burnett www.xato.net On Fri, 14 Jun 2002 08:14:45 -0500, Matt Yackley wrote:
Not sure about the dynamic rules, but a simpler form is the attack response rules, but it may not be what you are looking for...here is the rule to see if a "dir" command was succesful from a web server: alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES directory listing"; content:"Directory of"; nocase; flags:A+; flow:from_server; classtype:unknown; sid:496; rev:4;) It doesn't tie in that close to the attempts but, you could just watch for the attack response alerts instead of worrying to much about the cmd.exe type alerts. Matt -----Original Message----- From: Sam Evans [mailto:sam () neuroflux com] Sent: Thursday, June 13, 2002 7:28 PM To: snort -users () lists sourceforge net Subject: [Snort-users] Curse of the cmd.exe I was wondering if there is any way to alter a signature (maybe by using the dynamic rules?) to have it record when a cmd.exe attempt on port 80 is followed by the server's 200 OK ? It seems pointless to me, to log 10,000 cmd.exe attempts from outside hosts, when you don't know what the actual outcome was.. Sure, you have to go to your webserver logs to find out the real result, but, with all the Nimda / Codered still going on.. That makes for a very long day of log searching. Does anyone have suggestions for a solution? Is there one? It seems like it should be really easy to do.. in theory.. Thanks, Sam _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort -users _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort -users
---------------------------------------------------------------------------- Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Curse of the cmd.exe Matt Yackley (Jun 14)
- <Possible follow-ups>
- RE: Curse of the cmd.exe Andreas Östling (Jun 15)
- RE: Curse of the cmd.exe MOLLOY, Brendan, GCM (Jun 17)
- RE: Curse of the cmd.exe M. Burnett (Jun 17)