[Snort-sigs] question regarding web-iis rule NOT triggering..

Ashley Thomas athomas at ...681...
Tue Jun 10 11:58:05 EDT 2003


The concerned rule is

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase;
classtype:web-application-attack; sid:1002;  rev:5;)

I am wondering why the rule is not triggered for the following pkt:

06:50:06.369340 A.B.194.106.4843 > X.Y.134.191.http: P 0:73(73) ack
1 win17520 (DF)
0x0000   4500 0071 8097 4000 7206 8395 aabb c26a        E..q.. at ...1591...
0x0010   xxyy 86bf 12eb 0050 7030 eb11 5336 c93d        .......Pp0..S6.=
0x0020   5018 4470 b2c0 0000 4845 4144 202f 5f6d        P.Dp....HEAD./_m
0x0030   656d 5f62 696e 2f2e 2e2f 2e2e 2f2e 2e2f        em_bin/../../../
0x0040   2e2e 2f77 696e 6e74 2f73 7973 7465 6d33        ../winnt/system3
0x0050   322f 636d 642e 6578 653f 2f63 2b64 6972        2/cmd.exe?/c+dir
0x0060   2063 3a5c 205c 2048 5454 502f 312e 300a        .c:\.\.HTTP/1.0.
0x0070   0a                                             .

I am using the snort.2.0.0 downloaded just now from snort.org.

The snort.conf had -
#This rule file has the above rule
include $RULE_PATH/web-iis.rules

Note that no alerts were in fact generated, so it is not due to the fact
that the packet triggered some other alert.. (first exit)

Thanks a lot !


			-Ashley Thomas (athomas at ...681...)




More information about the Snort-sigs mailing list