Snort mailing list archives
Snort not loggin hack attempts
From: "Santoro, David" <david.santoro () lmco com>
Date: Tue, 25 Jun 2002 13:13:18 -0400
Paul What pre-preprocessors are running? Do you have both the http-Decode 80 and the Unidecode 80 active? I have been doing some lab experiments with unicode and it seems that both need to be running for Snort to detect unicode even though by the preprocessor descriptions only one of them needs to be.
We get loads of attempts every day and I was trying snort as an alternative
real time detection system. I've currently downloaded the latest windows build of snort and am running it on Windows XP. Whilst it is running, it doesn't seem to be detecting any of the attacks. In particular, as you can see from the log file snippet below, it doesn't detect unicode exploit attempts we get all the time which I have seem a module for in the config file. =20 2002-06-23 13:25:19 212.239.197.17 - 192.168.0.30 80 GET /scripts/root.exe /c+dir 404 3396 72 - - - 2002-06-23 13:25:23 212.239.197.17 - 192.168.0.30 80 GET /MSADC/root.exe /c+dir 404 3396 70 - - - 2002-06-23 13:25:34 212.239.197.17 - 192.168.0.30 80 GET /c/winnt/system32/cmd.exe /c+dir 404 3396 80 - - - 2002-06-23 13:25:37 212.239.197.17 - 192.168.0.30 80 GET /d/winnt/system32/cmd.exe /c+dir 404 3396 80 - - - 2002-06-23 13:25:39 212.239.197.17 - 192.168.0.30 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 3396 96 - - - 2002-06-23 13:25:41 212.239.197.17 - 192.168.0.30 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 500 0 117 - - - 2002-06-23 13:25:43 212.239.197.17 - 192.168.0.30 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 3396 117 - - - The system is on the same hub as the gateway, so it should be able to see this as incomming tragffic before it reaches the switch. My config file is as per the defaults. Any pointers as to why this isn't working? Thanks, =20 Paul ------------------------------------------------------- This sf.net email is sponsored by: Jabber Inc. Don't miss the IM event of the season | Special offer for OSDN members! JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort not loggin hack attempts Paul J. Smith (Jun 25)
- Re: Snort not loggin hack attempts Roberto Suarez Soto (Jun 25)
- Re: Snort not loggin hack attempts DataShark (Jun 25)
- <Possible follow-ups>
- Snort not loggin hack attempts Santoro, David (Jun 25)
- Re: Snort not loggin hack attempts Roberto Suarez Soto (Jun 25)