Snort mailing list archives
RE: How to Triggering Windows Exploits?
From: "Alan" <ids () san rr com>
Date: Wed, 26 May 2004 00:02:05 -0700
James, Let me see if I have this correct... If flow: to_server, established is part of a rule and there is a service allowing this establishment (http, ftp, SQL...etc) then I should see an alerts trigger regardless if I have a system that can be affected such as your example with Apache and triggering IIS alerts (Apache is advertising http port 80 allowing the established session then Snort detects the IIS exploit and sends me an alert). I think the key to this is the flow: to_server, established part of the rule. It now makes total sense if I have this all correct. Thanks! Alan I'm doing a (free) operating system (just a hobby, won't be big and professional like gnu) for 386(486) AT clones. Linus (torvalds () kruuna helsinki fi) Date: 1991-08-25 23:12:08 PST -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of James Riden Sent: Tuesday, May 25, 2004 6:05 PM To: ids () san rr com Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] How to Triggering Windows Exploits? ids () san rr com writes:
Hi Joshua, Your answer is a little bit different from what I was asking. Let me elaborate a little. Are the rules written in a way that requires a targeted computer have to respond to an attack or something of that nature for Snort to issue an alert. I have yet to see my Snort sensor alert me to any MS exploits (various network worms such as Sasser, blaster...etc) . I assumed the reason for this was because there are no Windows PC connected to the network Snort is sensing on.
If you haven't got any Windows boxes, you sometimes won't be able to establish a TCP session, e.g for port 1900,1500,445 etc. so most of the rules won't fire. If you're running stuff like samba, you should still be able to see warnings about connecting to IPC$, or if you've got Apache, the IIS rules will happily alert you to attempted cmd.exe accesses, etc. And you may see stuff like Slammer worm packets because that's UDP and doesn't need a session established. cheers, Jamie -- James Riden / j.riden () massey ac nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to Triggering Windows Exploits? ids (May 25)
- <Possible follow-ups>
- RE: How to Triggering Windows Exploits? Joshua Berry (May 25)
- Re: RE: How to Triggering Windows Exploits? ids (May 25)
- Re: How to Triggering Windows Exploits? James Riden (May 25)
- RE: How to Triggering Windows Exploits? Alan (May 26)
- Re: How to Triggering Windows Exploits? James Riden (May 25)
- RE: RE: How to Triggering Windows Exploits? Alan (May 26)
- RE: RE: How to Triggering Windows Exploits? Alan (May 26)
- Re: RE: How to Triggering Windows Exploits? Hendo (May 26)