Snort mailing list archives

RE: Curse of the cmd.exe

From: "Andy McLeod" <andy.mcleod () alivero com>
Date: Fri, 14 Jun 2002 08:58:07 +0100

Sam

I am using sec, a Perl based correlation engine to allow me to correlate
events detected by snort and/or from other engines. I make sure all the
events I am interested in are reported to syslog (from wherever they are
detected, in your case snort and httpd) then use sec to track the
correlation.

For sec see:-

http://www.estpak.ee/~risto/sec/


rgds/andy


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Sam Evans
Sent: 14 June 2002 01:28
To: snort-users () lists sourceforge net
Subject: [Snort-users] Curse of the cmd.exe


I was wondering if there is any way to alter a signature (maybe by using the
dynamic rules?) to have it record when a cmd.exe attempt on port 80 is
followed by the server's 200 OK ?

It seems pointless to me, to log 10,000 cmd.exe attempts from outside hosts,
when you don't know what the actual outcome was..  Sure, you have to go to
your webserver logs to find out the real result, but, with all the Nimda /
Codered still going on..   That makes for a very long day of log searching.

Does anyone have suggestions for a solution?  Is there one?  It seems like
it should be really easy to do.. in theory..

Thanks,
Sam



_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -
http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


----------------------------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                      >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Exploit? Michael Northup (Jun 13)
- Re: Exploit? (RCPT overflow) matt (Jun 13)
- Curse of the cmd.exe Sam Evans (Jun 13)
  - Re: Curse of the cmd.exe Chris Keladis (Jun 14)
  - RE: Curse of the cmd.exe Andy McLeod (Jun 17)
- RE: Exploit? Don (Jun 13)
- <Possible follow-ups>
- RE: Exploit? Hilton De Meillon (Jun 13)
- RE: Exploit? Michael Brown (Jun 17)