[Snort-sigs] unreachable sig in default ruleset
cmg at ...26...
Sun Jan 20 18:08:02 EST 2002
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
(msg:"WEB-MISC rcmd attempt";flags: A+;
classtype:web-application-activity; sid:1065; rev:2;)
iis rules are before the misc rules in default snort.conf and the misc
rules have cmd.exe as a sig. The sid of the cmd.exe is 1002.
I have no IIS machine that I can test on but
``Q. Why can't I use RCMD.EXE via xp_cmdshell from SQL Server?
A . For any access to "network resources" you need to run SQL Server
under a user account and not the default LocalSystem account. You can
check what userid that MSSQLSERVER is running under by looking at
control panel/services highlighting MSSQLSERVER and choosing the
start-up option. This should be changed as necessary.
Without this change you will get an "error 5 - Access denied".
However, RCMD.EXE doesn't seem to work even with this change. This is
due to the way that RCMD in the NT resource kit is coded - it is
probably expecting there to be a keyboard/mouse defined in the user
context, which there isn't.
So the short answer is that unless you use a version of rcmd.exe
without this restriction then it won't work.''
This implies to me that rcmd.exe won't work under webserver context.
Can anyone confirm or deny this?
Chris Green <cmg at ...26...>
Fame may be fleeting but obscurity is forever.
More information about the Snort-sigs