[Snort-devel] ``duplicate'' rules

Chris Green cmg at ...81...
Mon May 14 10:51:27 EDT 2001


Not really duplicate but useless if both web-misc and web-iis are
enabled in the same order as default snort.conf

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 
80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe";
nocase; classtype:attempted-user;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC rcmd
attempt";flags: A+; content:"rcmd.exe"; nocase;
classtype:attempted-recon;)
-- 
Chris Green <cmg at ...81...>
Let not the sands of time get in your lunch.




More information about the Snort-devel mailing list