Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-1.9.0 not generating required alerts

From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 14 Oct 2002 17:54:00 -0700 (PDT)
On Mon, 14 Oct 2002, archana rao wrote:


   I had been using Snort-1.8.7 to detect the attacks
towards an IIS 4.0 server which uses the URI:
GET /scripts/..%c0%af../winnt/system32/cmd.exe/c+"

and alerts were being generated by Snort-1.8.7.
However, when I used Snort-1.9.0 to detect the same
attacks, no alerts were being generated although I
 see from the source code that several improvements to
deal with attacks against IIS servers more efficiently
 have been made which should enable Snort-1.9.0 to
generate more alerts.I am not able to figure out what
the problem is.Any suggestions?


First off, what alert do you expect to be generated?  What SID do you expect
to see?  From a quick grep thru the rules, I'd guess you are epecting to see
either 1065 or 1002.  One thing that has really changed in 1.9.0 is the
addition of the 'flow' keyword.  Since both of those rules are looking for
"flow:to_server,established", I'm going to guess that you're not establishing
a session, you're just firing the packets.

Do you have a packet capture of this?  Is it something that you can reproduce
at will?

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: