Snort mailing list archives
Snort not loggin hack attempts
From: "Paul J. Smith" <pjsmith () microtech co gg>
Date: Tue, 25 Jun 2002 12:20:35 +0100
Hi, We get loads of attempts every day and I was trying snort as an alternative real time detection system. I've currently downloaded the latest windows build of snort and am running it on Windows XP. Whilst it is running, it doesn't seem to be detecting any of the attacks. In particular, as you can see from the log file snippet below, it doesn't detect unicode exploit attempts we get all the time which I have seem a module for in the config file. 2002-06-23 13:25:19 212.239.197.17 - 192.168.0.30 80 GET /scripts/root.exe /c+dir 404 3396 72 - - - 2002-06-23 13:25:23 212.239.197.17 - 192.168.0.30 80 GET /MSADC/root.exe /c+dir 404 3396 70 - - - 2002-06-23 13:25:34 212.239.197.17 - 192.168.0.30 80 GET /c/winnt/system32/cmd.exe /c+dir 404 3396 80 - - - 2002-06-23 13:25:37 212.239.197.17 - 192.168.0.30 80 GET /d/winnt/system32/cmd.exe /c+dir 404 3396 80 - - - 2002-06-23 13:25:39 212.239.197.17 - 192.168.0.30 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 3396 96 - - - 2002-06-23 13:25:41 212.239.197.17 - 192.168.0.30 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 500 0 117 - - - 2002-06-23 13:25:43 212.239.197.17 - 192.168.0.30 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 3396 117 - - - The system is on the same hub as the gateway, so it should be able to see this as incomming tragffic before it reaches the switch. My config file is as per the defaults. Any pointers as to why this isn't working? Thanks, Paul This email or attachment(s) may contain confidential or legally privileged information intended for the sole use of the addressee(s). Any use, redistribution, disclosure, or reproduction of this message, except as intended, is prohibited. If you received this email in error, please notify the sender and remove all copies of the message, including any attachments. Any views or opinions expressed in this email (unless otherwise stated) may not represent those of Microtech Limited. This email has been scanned for viruses by MailSafe. For more infomation please visit http://www.microtech.co.gg/mailSafe
Current thread:
- Snort not loggin hack attempts Paul J. Smith (Jun 25)
- Re: Snort not loggin hack attempts Roberto Suarez Soto (Jun 25)
- Re: Snort not loggin hack attempts DataShark (Jun 25)
- <Possible follow-ups>
- Snort not loggin hack attempts Santoro, David (Jun 25)
- Re: Snort not loggin hack attempts Roberto Suarez Soto (Jun 25)