Snort mailing list archives
Re: Problem with web-iis rules
From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 10 Oct 2003 15:41:47 -0400
At 11:39 AM 10/10/2003, Yan Zhai wrote:
I installed snort on my machine and launched a number of IIS attacks from my machine to another one in the LAN. The other machine is running an unpatched iis4.0 and the attacks are successful. Snort successfully reported the nmap portscans, however, it failed to report the iis attacks. It seems to me that snort just doesn't load up the web-iis rules. Below is my snort.conf, which is the default snort.conf with database output option. Can anyone point out what's the problem with it? Thanks.
Hmm, lack of stream4 and http_decode processors might cause problems here.The IIS rules are almost all uricontent rules.. this requires http_decode to be enabled to work.
They also use flows, which require stream4 to work. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problem with web-iis rules Yan Zhai (Oct 10)
- Re: Problem with web-iis rules Matt Kettler (Oct 10)
- Re: Problem with web-iis rules Erek Adams (Oct 10)
- Re: Problem with web-iis rules Josh Berry (Oct 10)
- Re: Problem with web-iis rules Josh Berry (Oct 10)
- <Possible follow-ups>
- RE: Problem with web-iis rules snort-ml (Oct 10)
- RE: Problem with web-iis rules Yan Zhai (Oct 11)
- Re: Problem with web-iis rules Yan Zhai (Oct 11)
- RE: Problem with web-iis rules Alex Alborzfard (Oct 13)