Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort Question

From: "Bill Rogers" <billr94 () home com>
Date: Mon, 27 Aug 2001 19:45:02 -0500
I am new to using snort and am try to get it set up correctly. I would
like to monitor traffic contain the code red variants.  I installed
snort on a win2k box and when I run the rule set, I keep getting an
error C:\snort\rules\web-iis.rules:6 => Port value missing rule!

The reading I have done on snort is pretty minimal.  I understand that
line 6 in the rule set is my problem.  Could anyone give me feed back as
what I must do? Below is a clip of the rule I downloaded.  

Any help appreciated.

Thanks,

Bill

<snip>

# $Id: web-iis.rules,v 1.17 2001/08/07 02:18:44 roesch Exp $
#--------------
# WEB-IIS RULES
#--------------

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS webdav
file lock attempt"; flags:A+; content:"LOCK "; offset:0; depth:5;
reference:bugtraq,2736; classtype:bad-unknown; sid:969; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS multiple
decode attempt"; flags:A+; uricontent:"%5c"; uricontent:"..";
reference:cve,CAN-2001-0333; classtype:attempted-user; sid:970; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI
.printer access"; uricontent:".printer"; nocase; flags:A+;
reference:cve,CAN-2001-0241; reference:arachnids,533;
classtype:attempted-recon; sid:971; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida
attempt"; uricontent:".ida?"; nocase; dsize:>239; flags:A+;
reference:arachnids,552; classtype:attempted-admin;
reference:cve,CAN-2000-0071; sid:1243; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida
access"; uricontent:".ida"; nocase; flags:A+; reference:arachnids,552;
classtype:attempted-recon; reference:cve,CAN-2000-0071; sid:1242;
rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq
attempt"; uricontent:".idq?"; nocase; dsize:>239; flags:A+;
reference:arachnids,553; classtype:attempted-admin;
reference:cve,CAN-2000-0071; sid:1244; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq
access"; uricontent:".idq"; nocase; flags:A+; reference:arachnids,553;
classtype:attempted-recon; reference:cve,CAN-2000-0071; sid:1245;
rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS %2E-asp
access";flags: A+; uricontent:"%2e.asp"; nocase; reference:bugtraq,1814;
reference:cve,CAN-1999-0253; classtype:attempted-recon; sid:972; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS *.idc
attempt";flags: A+; content:"*.idc"; nocase; reference:bugtraq,1448;
reference:cve,CVE-1999-0874; classtype:attempted-recon; sid:973; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ..\..
access";flags: A+; content:"|2e2e5c2e2e|"; reference:bugtraq,2218;
reference:cve,CAN-1999-0229; classtype:attempted-recon; sid:974; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS .asp$data
access";flags: A+; uricontent:".asp|3a3a|$data"; nocase;
reference:bugtraq,140; reference:cve,CVE-1999-0278;
classtype:attempted-recon; sid:975; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS .bat?
access";flags: A+; uricontent:".bat?&"; nocase; reference:bugtraq,2023;
reference:cve,CVE-1999-0233; classtype:attempted-recon; sid:976; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS .cnf
access"; content:".cnf"; nocase; flags:a+; classtype:attempted-recon;
sid:977; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ASP
contents view"; flags: A+;
content:"%20&CiRestriction=none&CiHiliteType=Full";
reference:cve,CAN-2000-0302; reference:bugtraq,1084;
classtype:attempted-recon; sid:978; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ASP
contents view"; flags: A+; uricontent:"/null.htw?CiWebHitsFile";
reference:bugtraq,1861; classtype:attempted-recon; sid:979; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS
CGImail.exe access";flags: A+; uricontent:"/scripts/CGImail.exe";
nocase; reference:cve,CAN-2000-0726; reference:bugtraq,1623;
classtype:attempted-recon; sid:980; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS File
permission canonicalization"; uricontent:"/scripts/..%c0%af../"; flags:
A+; nocase; classtype:attempted-admin; sid:981; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS File
permission canonicalization"; uricontent:"/scripts/..%c1%1c../"; flags:
A+; nocase; classtype:attempted-admin; sid:982; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS File
permission canonicalization"; uricontent:"/scripts/..%c1%9c../"; flags:
A+; nocase; classtype:attempted-admin;  sid:983; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS JET VBA
access";flags: A+; uricontent:"/scripts/samples/ctguestb.idc"; nocase;
reference:bugtraq,307; reference:cve,CVE-1999-0874;
classtype:attempted-recon; sid:984; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS JET VBA
access";flags: A+; uricontent:"/scripts/samples/details.idc"; nocase;
reference:bugtraq,286; reference:cve,CVE-1999-0874;
classtype:attempted-recon; sid:985; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS MSProxy
access";flags: A+; uricontent:"/scripts/proxy/w3proxy.dll"; nocase;
classtype:attempted-recon; sid:986; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS
Overflow-htr access";flags: A+; content:"BBBB.htrHTTP"; nocase;
classtype:attempted-recon; sid:987; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS SAM
Attempt";flags: A+; content:"sam._"; nocase; classtype:attempted-recon;
sid:988; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS
Unicode2.pl script (File permission canonicalization")";
uricontent:"/sensepost.exe"; flags: A+; nocase;
classtype:attempted-recon; sid:989; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS _vti_inf
access";flags: A+; uricontent:"_vti_inf.html"; nocase;
classtype:attempted-recon; sid:990; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS achg.htr
access";flags: A+; uricontent:"/iisadmpwd/achg.htr"; nocase;
reference:cve,CVE-1999-0407; reference:bugtraq,2110;
classtype:attempted-recon; sid:991; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS
adctest.asp access";flags: A+; uricontent:"/msadc/samples/adctest.asp";
nocase; classtype:attempted-recon; sid:992; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS admin
access";flags: A+; uricontent:"/scripts/iisadmin"; nocase;
classtype:attempted-admin; sid:993; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS
admin-default access";flags: A+;
uricontent:"/scripts/iisadmin/default.htm"; nocase;
classtype:attempted-admin; sid:994; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS admin.dll
access";flags: A+; uricontent:"/scripts/iisadmin/ism.dll?http/dir";
nocase; reference:cve,CVE-2000-0630; reference:bugtraq,189;
classtype:attempted-admin; sid:995; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS anot.htr
access";flags: A+; uricontent:"/iisadmpwd/anot"; nocase;
reference:bugtraq,2110; reference:cve,CAN-1999-0407;
classtype:attempted-recon; sid:996; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS asp-dot
attempt";flags: A+; uricontent:".asp."; nocase;
classtype:attempted-recon; sid:997; rev:1;)


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: