[Snort-sigs] unreachable sig in default ruleset

Chris Green cmg at ...26...
Sun Jan 20 18:08:02 EST 2002


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
(msg:"WEB-MISC rcmd attempt";flags: A+;
content:"rcmd.exe"; nocase;
classtype:web-application-activity; sid:1065; rev:2;)

iis rules are before the misc rules in default snort.conf and the misc
rules have cmd.exe as a sig.  The sid of the cmd.exe is 1002.

I have no IIS machine that I can test on but

http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=14290
says

``Q. Why can't I use RCMD.EXE via xp_cmdshell from SQL Server?

A . For any access to "network resources" you need to run SQL Server
under a user account and not the default LocalSystem account. You can
check what userid that MSSQLSERVER is running under by looking at
control panel/services highlighting MSSQLSERVER and choosing the
start-up option. This should be changed as necessary.

Without this change you will get an "error 5 - Access denied".

However, RCMD.EXE doesn't seem to work even with this change. This is
due to the way that RCMD in the NT resource kit is coded - it is
probably expecting there to be a keyboard/mouse defined in the user
context, which there isn't.

So the short answer is that unless you use a version of rcmd.exe
without this restriction then it won't work.''

This implies to me that rcmd.exe won't work under webserver context.
Can anyone confirm or deny this?
-- 
Chris Green <cmg at ...26...>
Fame may be fleeting but obscurity is forever.




More information about the Snort-sigs mailing list