[Snort-sigs] Pass rules for Exchange 2000 OWA

Dell, Jeffrey JDell at ...155...
Tue Oct 23 09:19:21 EDT 2001


Michael,
 
It is probably the rules order.. Make sure you have a "-o" arg when running
snort. This will change the rules order to pass->alert->log.
 
Jeff

-----Original Message-----
From: Cessna, Michael [mailto:MCessna at ...153...]
Sent: Tuesday, October 23, 2001 11:46 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Pass rules for Exchange 2000 OWA



Hello all, 
I am trying to write a pass rule for Exchange 2000 Outlook Web Access. The
problem is that the OWA connections keep tripping the web dav rules in the
web-misc rules files. I would like to keep the alerts active but pass the
OWA connections.

The Webdav rule that keeps tripping is: 
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC webdav search
access"; flags: A+; content: "SEARCH "; depth: 8;
nocase;reference:arachnids,474; classtype:bad-unknown; sid:1070; rev:1;)

I tried to use the following pass rule to ignore the OWA connections: 
pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC webdav search
access by Exchange OWA connection"; flags: A+; content: "SEARCH /exchange";
depth: 8; nocase;reference:arachnids,474; classtype:bad-unknown; sid:1070;
rev:1;)

This is a copy of the webdav rule except that I added the /exchange to the
content match. I just can't seem to see what I am doing wrong. Maybe I am
just on crack today :)

Any help would be greatly appreciated, 

Michael Cessna 
Network Engineer 
RealTime Media 
308 Lancaster Ave. 
Wynnewood, PA 19096 
p.610-896-9400 x308 
f.610-896-9416 
mcessna at ...153... 
www.realtimemedia.com 
www.rtm.com 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20011023/69ccb7b0/attachment.html>


More information about the Snort-sigs mailing list