RE: How to Triggering Windows Exploits?

["Alan" <ids () san rr com>]

James,


Let me see if I have this correct... If flow: to_server, established is part
of a rule and there is a service allowing this establishment (http, ftp,
SQL...etc) then I should see an alerts trigger regardless if I have a system
that can be affected such as your example with Apache and triggering IIS
alerts (Apache is advertising http port 80 allowing the established session
then Snort detects the IIS exploit and sends me an alert). I think the key
to this is the flow: to_server, established part of the rule. It now makes
total sense if I have this all correct.


Thanks!


Alan

I'm doing a (free) operating system (just a hobby, won't be big and
professional like gnu) for 386(486) AT clones.

Linus (torvalds () kruuna helsinki fi)
Date: 1991-08-25 23:12:08 PST

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of James Riden
Sent: Tuesday, May 25, 2004 6:05 PM
To: ids () san rr com
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] How to Triggering Windows Exploits?

ids () san rr com writes:

> Hi Joshua,
>
> Your answer is a little bit different from what I was asking. Let me
> elaborate a little. Are the rules written in a way that requires a
> targeted computer have to respond to an attack or something of that
> nature for Snort to issue an alert. I have yet to see my Snort
> sensor alert me to any MS exploits (various network worms such as
> Sasser, blaster...etc) . I assumed the reason for this was because
> there are no Windows PC connected to the network Snort is sensing
> on.

If you haven't got any Windows boxes, you sometimes won't be able to
establish a TCP session, e.g for port 1900,1500,445 etc. so most of
the rules won't fire.

If you're running stuff like samba, you should still be able to see
warnings about connecting to IPC$, or if you've got Apache, the IIS
rules will happily alert you to attempted cmd.exe accesses, etc. And
you may see stuff like Slammer worm packets because that's UDP and
doesn't need a session established.

cheers,
 Jamie
--
James Riden / j.riden () massey ac nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/



-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users