Snort mailing list archives
Re: Where do these rules come from?
From: Wesley Eddy <weddy () masaka cs ohiou edu>
Date: Thu, 16 Aug 2001 16:24:51 -0400
On Thu, Aug 16, 2001 at 03:09:37PM -0500, Steve Halligan wrote:
This is just an example from web-cgi rules. There are several more like this. Is the something that has a /calendar that is a problem? If so, why isn't it named in the rule. I don't have a problem commenting it out, because I know that I have nothing with a /calendar url, but I just got to wondering why rules like this are there in the first place. It can make it difficult to decide whether to remove a rule, with no reference as to what the exploit/scan is that the rule is designed for.
It's useful to keep, whether or not you have such a script that needs protected. If you don't have the script installed, then there's absolutely no reason why anyone would be trying to access it unless they were seriously confused or they were scanning you, in which case I assume you'd like to be alerted! The rules are there because there are kiddie tools which will scan a webserver for hundreds of commonly found known exploitable cgi programs, and if we didn't rules to detect them, then we'd never know we were being scanned. -Wes -- "I can't see too well, what's it all about? I don't know man, did you poke your eyes out?" -Angry Samoans, "Lights Out"
Attachment:
_bin
Description:
Current thread:
- Where do these rules come from? Steve Halligan (Aug 16)
- Re: Where do these rules come from? Wesley Eddy (Aug 16)
- <Possible follow-ups>
- RE: Where do these rules come from? Steve Halligan (Aug 16)
- RE: Where do these rules come from? Steve Halligan (Aug 16)