Re: Problem with web-iis rules

[Erek Adams <erek () snort org>]

On Fri, 10 Oct 2003, Yan Zhai wrote:

> I installed snort on my machine and launched a number of IIS attacks
> from my machine to another one in the LAN.  The other machine is running
> an unpatched iis4.0 and the attacks are successful.  Snort successfully
> reported the nmap portscans, however, it failed to report the iis
> attacks.  It seems to me that snort just doesn't load up the web-iis
> rules.  Below is my snort.conf, which is the default snort.conf with
> database output option.  Can anyone point out what's the problem with
> it?  Thanks.

[...snip...]

> /_vti_bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe

[...snip...]

If you'll take a look at the rules you'll see 'flow: established' on each
of them.  That means if you just send over the one packet with the trigger
data in it, Snort will ignore it.  You _must_ make a full three way
handshake, _then_ send the data over for it to be an alert.  It's useful
for reducing false positives.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users