Snort mailing list archives
snort 1.8.1 somtimes not logging packets on .ida attempt rule
From: Russell Fulton <r.fulton () auckland ac nz>
Date: Mon, 15 Oct 2001 15:58:40 +1300 (NZDT)
Greetings, I am running snort 1.8.1 on a debian linux system. With the demise of Code Red II the noise level on the .ida alerts has dropped way down but I am still seeing a trickle of ida alerts. A few are the old original code red (with the NNNN padding) as expected but others don't have any packet captures to correspond to the alerts. I also have an old snort 1.7 running on another box watching the same bit of network and this one does not record the .ida attempts that fail to produce packet captures on 1.8.1 (yes I do have an ida? rule in the 1.7 ruleset). I have verified in at least one instance that the alert was correct by examining the logs of the web server which was targetted. [**] [1:1243:1] WEB-IIS ISAPI .ida attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 10] 10/15-14:11:29.254613 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x0 len:0x5EE 212.45.6.18:48445 -> 130.216.74.20:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1504 ***AP*** Seq: 0xA70ABE0D Ack: 0x73F6BD5A Win: 0x2238 TcpLen: 20 212.45.6.18 - - [15/Oct/2001:14:11:29 +1300] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 336 "-" "-" Here is the ida rule that I am using on 1.8.1: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida attempt"; uricontent:".ida?"; nocase; dsize:>239; flags:A+; reference:arachnids,552; classtype:attempted-admin; reference:cve,CAN-2000-0071; sid:1243; rev:1;) and 1.7: alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS552/web-iis_IIS ISAPI Overflow ida"; flags: A; content: ".ida?";) Any ideas why 1.7 isn't logging these and (more importantly ;-) 1.8.1 isnt logging the packet. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 1.8.1 somtimes not logging packets on .ida attempt rule Russell Fulton (Oct 14)