Re: downloading rules from snort.org while snort is running on your server.

["Frontgate Lab" <mdiwan () wagweb com>]

 Ah.. Thank you Matthew,

 I think I like that.. even if its redundant... i'm surprised that the
download did not trigger any other alerts though.. given the contents of
the snort rules tarballs.


Matthew Collins wrote:
> All the snort rule is doing is looking for the content
>
> window.open("readme.eml"
>
> coming from a web server. As the rule matches itself, downloading the rule from a web server will trigger the rule. 
> Note, only the first rule will match, the second will not, as it checks URI content, not just any content.
>
> > > > "Frontgate Lab" <mdiwan () wagweb com> 12/10/01 16:45:23 >>>
> Yes i did download rules from snort.org  BUT.. why would that trigger
> the readme.eml content alert?
>
> [root@fglab snort]# cat web-misc.rules | grep readme.eml
> alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml
> autoload attempt"; flags:A+; content:"window.open(\"readme.eml\"";
> nocase; classtype:attempted-user; sid:1290; rev:3;
> reference:url,www.cert.org/advisories/CA-2001-26.html;)
> alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml
> attempt"; flags:A+; uricontent:"readme.eml"; nocase;
> classtype:attempted-user; sid:1284; rev:3;
> reference:url,www.cert.org/advisories/CA-2001-26.html;)
>
> Madhav
>
> Matthew Collins wrote:
> > Look at the source port. 80 -> YourIP:35434.
> >
> > Been downloading some rules from the snort web site?
> >
> > > > > "Frontgate Lab" <mdiwan () wagweb com> 12/10/01 16:02:13 >>>
> > Hiya .. errm.. i think this is bad... i belive it is nimda:
> >
> > Oct 11 11:48:35 fglab snort[4483]: [1:1284:3] WEB-MISC readme.eml
> > attempt [Classification: Attempted User Privilege Gain] [Priority: 8]:
> > {TCP} 151.196.107.166:80 -> 192.168.150.203:35434
> >
> > nslookup results:
> >
> >  nslookup 151.196.107.166
> > Note:  nslookup is deprecated and may be removed from future releases.
> > Consider using the `dig' or `host' programs instead.  Run nslookup with
> > the `-sil[ent]' option to prevent this message from appearing.
> > Server:         207.150.196.199
> > Address:        207.150.196.199#53
> >
> > Non-authoritative answer:
> > 166.107.196.151.in-addr.arpa    name = snort.sourcefire.com.
> >
> > Authoritative answers can be found from:
> > 166.107.196.151.in-addr.arpa    nameserver = ns1.sourcefire.com.
> > 166.107.196.151.in-addr.arpa    nameserver = ns2.sourcefire.com.
> > ns1.sourcefire.com      internet address = 151.196.107.164
> > ns2.sourcefire.com      internet address = 151.196.107.165


Note: The information contained in this message may be privileged and confidential and protected from disclosure.  If 
the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication in error, please notify us immediately by 
replying to the message and deleting it from your computer.  Thank you.  Wagner Weber & Williams

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users