RE: [Snort-users] CodeRed question amended
This is a discussion on RE: [Snort-users] CodeRed question amended within the Snort forums, part of the System Security and Security Related category; Snort passes decoded packets thru the preprocessors before sending them to the signature engine, do you see any (http_inspect) messages? - ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-10-2004
|
|||
|
|||
RE: [Snort-users] CodeRed question amended
Snort passes decoded packets thru the preprocessors before sending them
to the signature engine, do you see any (http_inspect) messages? - adam -----Original Message----- From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Foster, Ken Sent: Friday, December 10, 2004 12:26 PM To: snort-users@lists.sourceforge.net Subject: [Snort-users] CodeRed question amended I'm having trouble getting Snort to detect the following packet that clearly looks to me like a CodeRed: 21:30:30.064488 80.6.66.193.2437 > 46.5.23.118.80: P 760737404:760738832(1428) ack 2140171777 win 17520 (frag 25611:1448@0+) 0x0000 4500 05bc 640b 6000 6c06 b3f5 5006 42c1 E...d.`.l...P.B. 0x0010 2e05 1776 0985 0050 2d57 ee7c 7f90 6e01 ...v...P-W.|..n. 0x0020 5018 4470 e686 0000 4745 5420 2f64 6566 P.Dp....GET./def 0x0030 6175 6c74 2e69 6461 3f4e 4e4e 4e4e 4e4e ault.ida?NNNNNNN I am running on Windows XP (unfortunately) with Snort version: Version 2.1.3-ODBC-MySQL-FlexRESP-WIN32 (Build 27) By Martin Roesch (roesch@sourcefire.com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike@datanerds.net, www.datanerds.net/~mike) 1.8 - 2.1 WIN32 Port By Chris Reid (chris.reid@codecraftconsultants.com) I don't know why rule 1243 below from web-iis.rules is not triggering. Does anyone have any idea why this isn't working? I am getting alerts from other rules and no errors, so I'm not sure where else to look at this point. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida attempt"; flow:to_server,established; uricontent:".ida?"; nocase; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-attack; sid:1243; rev:11;) Thanks. Ken Foster ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now.=20 http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=3Dort-users ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
