Snort mailing list archives
RE: Making snort smarter...
From: <bmcdowell () coxhealthplans com>
Date: Tue, 29 Apr 2003 13:49:24 -0500
No, you misunderstand me. Reverse it. Do none of the other rules detect things that effect IIS? For example, there's web-attacks, web-cgi, etc. In fact here's the number of times '$HTTP_SERVERS' is found in the ruleset I have: ATTACK-RESPONSES.RULES: 12 DELETED.RULES: 12 DOS.RULES: 1 MISC.RULES: 2 WEB-ATTACKS.RULES: 47 WEB-CGI.RULES: 296 WEB-COLDFUSION.RULES: 35 WEB-FRONTPAGE.RULES: 34 WEB-IIS.RULES: 113 WEB-MISC.RULES: 261 WEB-PHP.RULES: 15 So, if you make it so something in '$IISSERVERS' is not in '$HTTP_SERVERS', tons of rules no longer apply. Not simply the ones in web-iis. This may have a undesired impact... Do you see what I mean? -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Paul Schmehl Sent: Tuesday, April 29, 2003 10:58 AM To: Bob McDowell; snort-users () lists sourceforge net Subject: RE: [Snort-users] Making snort smarter... w Sure. All the web-iis.rules apply only to IIS. Why would I want alerts for apache running on Solaris when the attack only works on IIS? CodeRed, Nimda, etc. all only affect IIS. Right now all my webservers alert for that stuff, when the only ones I care about are IIS servers. An attacker can pound all day on an apache server looking for iissamples. Why would I care? --On Tuesday, April 29, 2003 10:49:20 AM -0500 bmcdowell () coxhealthplans com wrote:
Not that I couldn't just look and find out for myself, but: Are there any 'web' rules that you want alerting for IIS servers? Obviously the reverse is the issue, but would such a fix break
anything
else? -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Paul Schmehl Sent: Tuesday, April 29, 2003 9:49 AM To: Jason Haar; snort-users () lists sourceforge net Subject: Re: [Snort-users] Making snort smarter... Sure, I could do that, and then I'd have to cron it so that after oinkmaster replaces the rules they get fixed again. Wouldn't it be simpler to just incorporate this as a change to the ruleset? That way it's fixed for everyone. --On Tuesday, April 29, 2003 09:03:50 PM +1200 Jason Haar <Jason.Haar () trimble co nz> wrote:Paul Schmehl wrote:For the specific example you give I think it would be entirely appropriate to create a var called "$IIS_SERVERS" and then put allthe*other* webservers under $HTTP_SERVERS. I've suggested this before,andI'd love to see it implemented in the rules, because IIS is a beastuntoitself.Good idea - but as all IIS rules are within web-iis.rules, why notjustscript a rewrite? echo "var IIS_SERVERS [1.2.3.4/32,2.3.4.1/32]" sed 's/HTTP_SERVERS/IIS_SERVERS/g' web-iis.rules Jason ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-usersPaul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Making snort smarter... Tobias Rice (Apr 28)
- Re: Making snort smarter... Paul Schmehl (Apr 28)
- Re: Making snort smarter... Jason Haar (Apr 29)
- Re: Making snort smarter... Paul Schmehl (Apr 29)
- Re: Making snort smarter... Jason Haar (Apr 29)
- Re: Making snort smarter... Jason Haar (Apr 29)
- Re: Making snort smarter... Jason Haar (Apr 29)
- Re: Making snort smarter... Paul Schmehl (Apr 28)
- <Possible follow-ups>
- RE: Making snort smarter... bmcdowell (Apr 29)
- RE: Making snort smarter... Paul Schmehl (Apr 29)
- Re: Making snort smarter... Jason (Apr 29)
- RE: Making snort smarter... Paul Schmehl (Apr 29)
- RE: Making snort smarter... bmcdowell (Apr 29)
- RE: Making snort smarter... Paul Schmehl (Apr 29)
- Re: Making snort smarter... JP Vossen (Apr 29)