[Snort-devel] New feature wanted: Locate the bad guy?

guano at ...2048... guano at ...2048...
Sun Jun 22 13:35:04 EDT 2003

Hi Martin,

I read your posting in snort-devel.

You might want to take a look at my snort detection engine "uninvited".
(I posted this morning to snort-devel about it.)

Rather than posting all the source code to the newsgroup, I uploaded it to
my web site:
  Select "Public Projects"
  Select "Snort uninvited detection engine"
You can download the snort.uninvited.tar.Z there, and also find
installation and usage instructions.
(Sorry for the round-about download method, but it cuts down on spam.)

I believe it will handle your requirement for directions:

alert tcp any any -> any any (uninvited; msg:"Attack"; content:"cmd.exe";)
alert tcp any any -> any any (uninvited; msg:"Response"; content:"\WINNT\system32";)

This assumes that the "cmd.exe" source should NEVER come from your firewall.
If you initiate the attack, then it will not trigger an alert.
But if someone else triggers the attack, then it will trigger the alert.


More information about the Snort-devel mailing list