Snort mailing list archives

Snort not loggin hack attempts

From: "Santoro, David" <david.santoro () lmco com>
Date: Tue, 25 Jun 2002 13:13:18 -0400

Paul

What pre-preprocessors are running?  Do you have both the http-Decode 80 and
the Unidecode 80 active?  I have been doing some lab experiments with
unicode and it seems that both need to be running for Snort to detect
unicode even though by the preprocessor descriptions only one of them needs
to be.

We get loads of attempts every day and I was trying snort as an alternative

real time detection system.  I've currently downloaded the latest windows
build of snort and am running it on Windows XP.  Whilst it is running, it
doesn't seem to be detecting any of the attacks.  In particular, as you can
see from the log file snippet below, it doesn't detect unicode exploit
attempts we get all the time which I have seem a module for in the config
file. =20 2002-06-23 13:25:19 212.239.197.17 - 192.168.0.30 80 GET
/scripts/root.exe /c+dir 404 3396 72 - - - 2002-06-23 13:25:23
212.239.197.17 - 192.168.0.30 80 GET /MSADC/root.exe /c+dir 404 3396 70 - -
- 2002-06-23 13:25:34 212.239.197.17 - 192.168.0.30 80 GET
/c/winnt/system32/cmd.exe /c+dir 404 3396 80 - - - 2002-06-23 13:25:37
212.239.197.17 - 192.168.0.30 80 GET /d/winnt/system32/cmd.exe /c+dir 404
3396 80 - - - 2002-06-23 13:25:39 212.239.197.17 - 192.168.0.30 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 3396 96 - - - 2002-06-23
13:25:41 212.239.197.17 - 192.168.0.30 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 500 0 117 -
- - 2002-06-23 13:25:43 212.239.197.17 - 192.168.0.30 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 3396 117
- - -


The system is on the same hub as the gateway, so it should be able to see
this as incomming tragffic before it reaches the switch.

My config file is as per the defaults.

Any pointers as to why this isn't working?

Thanks,
=20
Paul



-------------------------------------------------------
This sf.net email is sponsored by: Jabber Inc.
Don't miss the IM event of the season | Special offer for OSDN members! 
JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort not loggin hack attempts Paul J. Smith (Jun 25)
- Re: Snort not loggin hack attempts Roberto Suarez Soto (Jun 25)
  - Re: Snort not loggin hack attempts DataShark (Jun 25)
- <Possible follow-ups>
- Snort not loggin hack attempts Santoro, David (Jun 25)