Snort mailing list archives

Easy web-server protection?

From: velbloud <velbloud () yahoo com>
Date: Wed, 29 Jan 2003 10:36:39 -0800 (PST)

Hi guys,
I was just wondering, if it was possible to install
SNORT on a machine running Apache web-server and have
it DROP or REJECT those packets containing cmd.exe,
FFFFF, BBBBBB and whatever other crap. I am a newbie
to the whole thing and I was playing with the SNORT a
bit, but couldn't get it to refuse those packets. It
did log them, but they still made it to the
web-server.

I am using the standart installation and .conf files
and I just tried to add a rule to the local.rules:

alert tcp any any -> 192.168.1.10/32 80 (msg:
"no-way"; content: "cmd.exe";nocase; react:
block,msg;)

but I guess I didn't get it right. Is anything like
that possible at all? My server is behind a firewall
so I am not really worried about the flag states etc.
Do I have to use any of the MySQL setups? I want to
keep it simple.

Any suggestions are greatly appreciated.
Thanks.
Libor

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Easy web-server protection? velbloud (Jan 29)
- Re: Easy web-server protection? twig les (Jan 29)
- Re: Easy web-server protection? Javier Liendo (Jan 29)
- <Possible follow-ups>
- Re:Easy web-server protection? Shaiful (Jan 29)
  - Re: Re:Easy web-server protection? Eduardo Kita (Jan 30)
- RE: Re:Easy web-server protection? Bob McDowell (Jan 30)