Snort mailing list archives
Re: Snort-1.9.0 not generating required alerts
From: archana rao <archuatdavis () yahoo com>
Date: Tue, 15 Oct 2002 11:35:51 -0700 (PDT)
Thanks for the reply. The alert that I expect to be generated has sid:981. It does look for the "flow:to_server, established", but I am establishing a session before sending the packets. I am doing tcpdump of the traffic between my attacking machine and the machine being attacked.I am writing the output of tcpdump into a file and using this tcpdump formatted file as input to Snort.These were the same steps that I followed in Snort-1.8.7. Am I missing out something?As I mentioned earlier, I am establishing a session before firing the packets. Archana --- Erek Adams <erek () theadamsfamily net> wrote:
On Mon, 14 Oct 2002, archana rao wrote:I had been using Snort-1.8.7 to detect theattackstowards an IIS 4.0 server which uses the URI: GET /scripts/..%c0%af../winnt/system32/cmd.exe/c+" and alerts were being generated by Snort-1.8.7. However, when I used Snort-1.9.0 to detect thesameattacks, no alerts were being generated although I see from the source code that severalimprovements todeal with attacks against IIS servers moreefficientlyhave been made which should enable Snort-1.9.0 to generate more alerts.I am not able to figure outwhatthe problem is.Any suggestions?First off, what alert do you expect to be generated? What SID do you expect to see? From a quick grep thru the rules, I'd guess you are epecting to see either 1065 or 1002. One thing that has really changed in 1.9.0 is the addition of the 'flow' keyword. Since both of those rules are looking for "flow:to_server,established", I'm going to guess that you're not establishing a session, you're just firing the packets. Do you have a packet capture of this? Is it something that you can reproduce at will? Hope that helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort-1.9.0 not generating required alerts archana rao (Oct 14)
- Re: Snort-1.9.0 not generating required alerts Erek Adams (Oct 14)
- Re: Snort-1.9.0 not generating required alerts archana rao (Oct 15)
- Re: Snort-1.9.0 not generating required alerts Erek Adams (Oct 15)
- Re: Snort-1.9.0 not generating required alerts archana rao (Oct 15)
- Re: Snort-1.9.0 not generating required alerts Alberto Gonzalez (Oct 15)
- Re: Snort-1.9.0 not generating required alerts Erek Adams (Oct 15)
- Re: Snort-1.9.0 not generating required alerts archana rao (Oct 16)
- Re: Snort-1.9.0 not generating required alerts Alberto Gonzalez (Oct 15)
- Re: Snort-1.9.0 not generating required alerts archana rao (Oct 16)
- Re: Snort-1.9.0 not generating required alerts archana rao (Oct 15)
- Re: Snort-1.9.0 not generating required alerts Erek Adams (Oct 14)