RE: Testing Snort

[Jody Gilbert <JDG () ovum com>]

I spoke too soon!

 

It now detects the WEB-IIS attacks if I run them from the PC running snort.

 

Cheers,

Jody

 

  _____  

From: Jody Gilbert 
Sent: 02 August 2004 15:45
To: 'Joshua Berry'
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Testing Snort

 

It looks like this could be something to do with either Windows XP or XP
SP2.

I have just installed Snort on a Windows 2000 SP4 and it is working a treat.

 

Thanks,

Jody

 

  _____  

From: Joshua Berry [mailto:jberry () PENSON COM] 
Sent: 02 August 2004 14:24
To: Jody Gilbert
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Testing Snort

 

Do you have the http_inspect preprocessor enabled and correctly configured?

 

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jody Gilbert
Sent: Sunday, August 01, 2004 3:24 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Testing Snort

 

Hello All,

I have just installed snort for the first time and am trying to test it from
my PC.

I am having trouble testing the web-iis rules.

I have tried accessing /msadcs.dll and /cmd.exe on some of the web servers
on our LAN, but no alerts are created by snort.

I added the following rule Snort as a test, which produced plenty of alerts:

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Test WEB-IIS";
flow:to_server; sid:1970; rev:6;)

However, when I add 'uricontent:"/msadcs.dll"; nocase;' to the above rule I
do not get any alerts.

I am new to Snort, so I imagine (hope) it's something pretty simple.

Can anyone point me in the right direction?

I am running Snort 2.1.3 on a Windows XP PC.

Cheers,

Jody

 

-------------------------------------------------------------------------
 
Jody Gilbert
IT Manager
 
Ovum
Cardinal Tower
12 Farringdon Road
London, EC1M 3HS

Direct Line: +44 (0) 20 7551 9002
Mobile: +44 (0) 7775 826 806
Fax: +44 (0) 20 7551 9090
Email:  <mailto:jdg () ovum com> jdg () ovum com
 <http://www.ovum.com/> www.ovum.com 

Advising on the commercial impact of technology and market changes in
Telecoms, software and IT services.  Ovum has offices in London, Paris,
Cologne, Boston, Melbourne and Seoul.



*************** NOTICE & DISCLAIMER *************************

This email and any files transmitted with it are confidential and will be
protected by copyright and are for the attention of the addressee only. This
email may also be privileged.

If you have received this email in error please notify us by email reply and
delete it from your system. 
You may not copy this message or disclose its contents to anyone. Any views
or opinions presented in this email are solely those of the author and do
not necessarily represent those of Ovum. Ovum accepts no liability for the
content of this email, or for the consequences of any actions taken on the
basis of the information provided, unless you are the intended recipient and
such liability accords with Ovum's Terms and Conditions of Business. 

If you are not the intended recipient, please note that disclosing, copying,
distributing or taking any action in reliance on the contents of this
information is strictly prohibited.

Ovum accepts no liability for any damage caused by any virus transmitted by
this email. 

Registered Office: Ovum Holdings Limited, Cardinal Tower, 12 Farringdon
Road, London EC1M 3HS, United Kingdom

*******************************************************************



*************** NOTICE & DISCLAIMER *************************

This email and any files transmitted with it are confidential and will be protected by copyright and are for the 
attention of the addressee only.  This email may also be privileged.

If you have received this email in error please notify us by email reply and delete it from your system.  
You may not copy this message or disclose its contents to anyone.  Any views or opinions presented in this email are 
solely those of the author and do not necessarily represent those of Ovum.  Ovum accepts no liability for the content 
of this email, or for the consequences of any actions taken on the basis of the information provided, unless you are 
the intended recipient and such liability accords with Ovum's Terms and Conditions of Business.  

If you are not the intended recipient, please note that disclosing, copying, distributing or taking any action in 
reliance on the contents of this information is strictly prohibited.

Ovum accepts no liability for any damage caused by any virus transmitted by this email. 

Registered Office: Ovum Holdings Limited, Cardinal Tower, 12 Farringdon Road, London EC1M 3HS, United Kingdom

*******************************************************************