[Snort-sigs] Pass rules for Exchange 2000 OWA
JDell at ...155...
Tue Oct 23 09:19:21 EDT 2001
It is probably the rules order.. Make sure you have a "-o" arg when running
snort. This will change the rules order to pass->alert->log.
From: Cessna, Michael [mailto:MCessna at ...153...]
Sent: Tuesday, October 23, 2001 11:46 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Pass rules for Exchange 2000 OWA
I am trying to write a pass rule for Exchange 2000 Outlook Web Access. The
problem is that the OWA connections keep tripping the web dav rules in the
web-misc rules files. I would like to keep the alerts active but pass the
The Webdav rule that keeps tripping is:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC webdav search
access"; flags: A+; content: "SEARCH "; depth: 8;
nocase;reference:arachnids,474; classtype:bad-unknown; sid:1070; rev:1;)
I tried to use the following pass rule to ignore the OWA connections:
pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC webdav search
access by Exchange OWA connection"; flags: A+; content: "SEARCH /exchange";
depth: 8; nocase;reference:arachnids,474; classtype:bad-unknown; sid:1070;
This is a copy of the webdav rule except that I added the /exchange to the
content match. I just can't seem to see what I am doing wrong. Maybe I am
just on crack today :)
Any help would be greatly appreciated,
308 Lancaster Ave.
Wynnewood, PA 19096
mcessna at ...153...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs