Re: Testing Snort with Blade IDS Informer

[Holger Mense <holger () project2501 de>]

Hello,

I did some further research.

* Holger Mense <holger () project2501 de>:

> Now I have recently tested my snort sensor (using snort 2.3.2 and latest snort 
> rules) with Blade Softwares IDS Informer demo version.
>
> However, I was a bit disappointed about the results. Besides the back orifice 
> and the two portscan attempts, my sensor didn't detect anything else of the 
> remaining 7 attacks provided by IDS Informer.
>
> In detail it didn't detect
>  - TCP DNS Zone Transfer
As stated in another email in this thread, I am able to see UDP DNS Zone 
Transfer alerts from real DNS servers.

>  - IIS htr Buffer Overflow
After editing the rule "WEB-IIS ism.dll attempt" and changing 'uricontent:" 
.htr"' in 'uricontent:".htr"' I am able to see this attack.

>  - traceroute attempt
I have just checked my logs. I have already "ICMP traceroute" alerts in my 
logs. However my sensor does not detect the one from IDS Informer.

So is any one here, who uses IDS Informer for testing his sensor? Is this 
person using the basic snort rule set (current version)? 

Thank you for your answers,
Holger

-- 
Holger Mense

Attachment: signature.asc
Description: Digital signature