[Snort-sigs] Exchange OWA Pass Rules

Cessna, Michael MCessna at ...153...
Wed Oct 24 13:02:10 EDT 2001


Here's a copy of the rules that keep MS Exchange OWA from driving you nuts
with alerts. Since OWA runs on MS IIS......Be careful to make sure that the
OWA server is FULLY patched!

############################################################################
##
#Pass Rules for Exchange Outlook Web Access
#
#First a new variable needs to be set in your snort.conf file
#to define the OWA servers
#var OWA_SERVERS 192.168.1.1/32
#or for multiple OWA servers
#var OWA_SERVERS [192.168.1.1/32,192.168.2.2/32]
#using the OWA_SERVERS variable lets you pass the packets destined for your
OWA
#servers while keeping the regular rules to protect your other nodes
#Make sure that you use the -o switch so that Snort processes the pass
#rules before the other rules
#
#NOTE: These rules are for OWA and Exchange on the same box.
#I have tested the rules with Exchange 5.5sp4 and Exchange2000
#MS IIS 5.0 was used as the webserver for both 5.5 and 2k
#If I get some time I'll try to separate out the webserver from Exchange
#And see if the rules need to be changed.
#Please send any changes/updates/
pass tcp $EXTERNAL_NET any -> $OWA_SERVERS 80 (msg:"WEB-MISC webdav search
access by Exchange OWA"; flags: A+; uricontent: "/exchange"; nocase;)
pass tcp $EXTERNAL_NET any -> $OWA_SERVERS 80 (msg:WEB-CGI Calendar access
by Exchange OWA"; flags: A+; uricontent: "/exchweb"; nocase;)

Michael Cessna
Network Engineer
RealTime Media
308 Lancaster Ave.
Wynnewood, PA 19096
p.610-896-9400 x308
f.610-896-9416
mcessna at ...153...
www.realtimemedia.com
www.rtm.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20011024/56490e3d/attachment.html>


More information about the Snort-sigs mailing list