Snort mailing list archives

Re: Problem with web-iis rules

From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 10 Oct 2003 15:41:47 -0400

At 11:39 AM 10/10/2003, Yan Zhai wrote:

I installed snort on my machine and launched a number of IIS attacks frommy machine to another one in the LAN. The other machine is running anunpatched iis4.0 and the attacks are successful. Snort successfullyreported the nmap portscans, however, it failed to report the iisattacks. It seems to me that snort just doesn't load up the web-iisrules. Below is my snort.conf, which is the default snort.conf withdatabase output option. Can anyone point out what's the problem withit? Thanks.


Hmm, lack of stream4 and http_decode processors might cause problems here.

The IIS rules are almost all uricontent rules.. this requires http_decodeto be enabled to work.


They also use flows, which require stream4 to work.





-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Problem with web-iis rules Yan Zhai (Oct 10)
- Re: Problem with web-iis rules Matt Kettler (Oct 10)
- Re: Problem with web-iis rules Erek Adams (Oct 10)
- Re: Problem with web-iis rules Josh Berry (Oct 10)
- Re: Problem with web-iis rules Josh Berry (Oct 10)
- <Possible follow-ups>
- RE: Problem with web-iis rules snort-ml (Oct 10)
  - RE: Problem with web-iis rules Yan Zhai (Oct 11)
- Re: Problem with web-iis rules Yan Zhai (Oct 11)
- RE: Problem with web-iis rules Alex Alborzfard (Oct 13)