[Snort-sigs] question regarding web-iis rule NOT triggering..

Matt Kettler mkettler at ...1208...
Tue Jun 10 12:48:07 EDT 2003


(note: this probably belongs on snort-users, as this is really a devel 
list, but no biggie).

In general, that packet should trigger that rule, so I suspect it's a 
configuration or packet dropping issue.

So I have 5 questions for you to help you find the cause in it.

1) Is A.B.194.106 included in EXTERNAL_NET? If you have multiple ranges and 
a negation, are you sure your boolean algebra is correct (it very commonly 
is not.. [!a,!b] is not likely to do what you might think.)

2) Is x.y.134.191 included in HTTP_SERVERS?

3) What is HTTP_PORTS defined as? Is there a comma in it (commas are not 
valid in port specifications)?

4) Is the stream4 preprocessor enabled?

5) What is your packet drop rate like? Is there any chance that snort 
missed the three-way handshake?



At 02:57 PM 6/10/2003 -0400, Ashley Thomas wrote:
>The concerned rule is
>
>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
>cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase;
>classtype:web-application-attack; sid:1002;  rev:5;)
>
>I am wondering why the rule is not triggered for the following pkt:
>
>06:50:06.369340 A.B.194.106.4843 > X.Y.134.191.http: P 0:73(73) ack
>1 win17520 (DF)
>0x0000   4500 0071 8097 4000 7206 8395 aabb c26a        E..q.. at ...1591...
>0x0010   xxyy 86bf 12eb 0050 7030 eb11 5336 c93d        .......Pp0..S6.=
>0x0020   5018 4470 b2c0 0000 4845 4144 202f 5f6d        P.Dp....HEAD./_m
>0x0030   656d 5f62 696e 2f2e 2e2f 2e2e 2f2e 2e2f        em_bin/../../../
>0x0040   2e2e 2f77 696e 6e74 2f73 7973 7465 6d33        ../winnt/system3
>0x0050   322f 636d 642e 6578 653f 2f63 2b64 6972        2/cmd.exe?/c+dir
>0x0060   2063 3a5c 205c 2048 5454 502f 312e 300a        .c:\.\.HTTP/1.0.
>0x0070   0a                                             .
>
>I am using the snort.2.0.0 downloaded just now from snort.org.
>
>The snort.conf had -
>#This rule file has the above rule
>include $RULE_PATH/web-iis.rules
>
>Note that no alerts were in fact generated, so it is not due to the fact
>that the packet triggered some other alert.. (first exit)
>
>Thanks a lot !





More information about the Snort-sigs mailing list