Snort mailing list archives
Re: Snort-1.9.0 not generating required alerts
From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 14 Oct 2002 17:54:00 -0700 (PDT)
On Mon, 14 Oct 2002, archana rao wrote:
I had been using Snort-1.8.7 to detect the attacks towards an IIS 4.0 server which uses the URI: GET /scripts/..%c0%af../winnt/system32/cmd.exe/c+" and alerts were being generated by Snort-1.8.7. However, when I used Snort-1.9.0 to detect the same attacks, no alerts were being generated although I see from the source code that several improvements to deal with attacks against IIS servers more efficiently have been made which should enable Snort-1.9.0 to generate more alerts.I am not able to figure out what the problem is.Any suggestions?
First off, what alert do you expect to be generated? What SID do you expect to see? From a quick grep thru the rules, I'd guess you are epecting to see either 1065 or 1002. One thing that has really changed in 1.9.0 is the addition of the 'flow' keyword. Since both of those rules are looking for "flow:to_server,established", I'm going to guess that you're not establishing a session, you're just firing the packets. Do you have a packet capture of this? Is it something that you can reproduce at will? Hope that helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort-1.9.0 not generating required alerts archana rao (Oct 14)
- Re: Snort-1.9.0 not generating required alerts Erek Adams (Oct 14)
- Re: Snort-1.9.0 not generating required alerts archana rao (Oct 15)
- Re: Snort-1.9.0 not generating required alerts Erek Adams (Oct 15)
- Re: Snort-1.9.0 not generating required alerts archana rao (Oct 15)
- Re: Snort-1.9.0 not generating required alerts Alberto Gonzalez (Oct 15)
- Re: Snort-1.9.0 not generating required alerts Erek Adams (Oct 15)
- Re: Snort-1.9.0 not generating required alerts archana rao (Oct 16)
- Re: Snort-1.9.0 not generating required alerts Alberto Gonzalez (Oct 15)
- Re: Snort-1.9.0 not generating required alerts archana rao (Oct 16)
- Re: Snort-1.9.0 not generating required alerts archana rao (Oct 15)
- Re: Snort-1.9.0 not generating required alerts Erek Adams (Oct 14)