[Snort-sigs] Question about sid: 1002

Jacob Hurley jacobh at ...1425...
Fri Apr 4 16:42:06 EST 2003


Ya, thank you (you too dan)   ;) 


Jacob Hurley


-----Original Message-----
From: Michael Boman [mailto:michael.boman at ...267...] 
Sent: Friday, April 04, 2003 8:16 AM
To: Jacob Hurley
Cc: Daniel J. Roelker; snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Question about sid: 1002

On Thu, Apr 03, 2003 at 08:10:21PM -0600, Jacob Hurley wrote:
> While my question isn't quite the same, it relates to this rule too.
We
> were wanting to possibly 'weed out' the scanners and whatnot that just
> could simply use cmd.exe to do directory listings (since there is a
> snort rule that will tell you about a successful dir listing) but we
> wanted to be alerted to any url that contained cmd.exe, but didn't
> contain 'dir' in it anywhere.  We were thinking of coming up with some
> type of pass rule or something (I am fairly new to the signature game
> myself) for it.  Any ideas, concerns, or comments on doing something
> like this ?

You mean something like:

alert $EXTERNAL_NET any -> $HOME_NET 80 ( \
msg:"cmd.exe without dir attempt"; \
uricontent:"cmd.exe"; nocase; \
uricontent:!"dir"; nocase; \
)

(I broke down the rule to make it more readable.. Hopefully I succeeded
with that..)

Best regards
 Michael Boman

-- 
Michael Boman
Security Architect, SecureCiRT Pte Ltd
http://www.securecirt.com




More information about the Snort-sigs mailing list