Snort mailing list archives

Previous By Date Next
Previous By Thread Next

MS12-063 Rule Triggering

From: "Kochen, Joe" <joe.kochen () americo com>
Date: Wed, 12 Dec 2012 22:45:48 +0000
Let me start this off with saying I'm a relative noob when it comes to analyzing rules and exactly how they are getting 
triggered. I'm not sure the best avenue on going about asking this question so bear with me. \\

With that said I have the MS12-063 rule enabled, I can successfully exploit this vulnerability on the monitored network 
going through the sensors (using the standard metasploit module). However an event/alert never triggers. The sensors 
appear to be catching other misc things (just in case it was an overall problem with the sensor). I've taken a packet 
capture of the traffic and found all the keywords in the rule in the tcp stream, I haven't drilled down far enough to 
actually be sure that all the other parameters would allow for the rule to trigger.

I imagine the issue could lie in many different places, but are there any specific global configuration settings that 
might make this happen? Where would I want to start looking? Please note that I'm using the Sourcefire 3D sensors with 
a defense center.

Appreciate it,

Joe


This email, including any attachments, is intended for the person(s) or company to whom it is addressed and may contain 
confidential and/or legally privileged information.  If you are not the intended recipient, please be advised that you 
have received this message in error and that unauthorized disclosure, forwarding, printing or copying of this 
information is strictly prohibited and may be unlawful. Please notify the sender immediately, either at the original 
sender's email address, or by calling 1-800-231-0801. For all other questions please contact the company operator at 
(816) 391-2700.

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: