[Snort-sigs] Question about sid: 1002

Michael Boman michael.boman at ...267...
Fri Apr 4 06:18:25 EST 2003


On Thu, Apr 03, 2003 at 08:10:21PM -0600, Jacob Hurley wrote:
> While my question isn't quite the same, it relates to this rule too.  We
> were wanting to possibly 'weed out' the scanners and whatnot that just
> could simply use cmd.exe to do directory listings (since there is a
> snort rule that will tell you about a successful dir listing) but we
> wanted to be alerted to any url that contained cmd.exe, but didn't
> contain 'dir' in it anywhere.  We were thinking of coming up with some
> type of pass rule or something (I am fairly new to the signature game
> myself) for it.  Any ideas, concerns, or comments on doing something
> like this ?

You mean something like:

alert $EXTERNAL_NET any -> $HOME_NET 80 ( \
msg:"cmd.exe without dir attempt"; \
uricontent:"cmd.exe"; nocase; \
uricontent:!"dir"; nocase; \
)

(I broke down the rule to make it more readable.. Hopefully I succeeded with that..)

Best regards
 Michael Boman

-- 
Michael Boman
Security Architect, SecureCiRT Pte Ltd
http://www.securecirt.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030404/a132a098/attachment.sig>


More information about the Snort-sigs mailing list