[Snort-sigs] WEB-FRONTPAGE /_vti_bin/ access rule question to the community

Coen Bakkers, Monitored Security coen.bakkers at ...1134...
Wed Jun 2 22:01:02 EDT 2004


Hi Matthew,

It is Snort 2.0.1 (Build88) included in EagleX, the default ruleset,
Sid of the rule it should trigger is 1288, and the rev is 5 in the default ruleset.
When i updated the ruleset to the ruleset of April 2004, i had the same result (Snort ruleset for 2.0.x)
Snort 2.1.3 RC1 detected the exploit correctly.

Hope that helps and thankd for your help!

Coen

-----Original Message-----
From: Matthew Watchinski [mailto:mwatchinski at ...435...]
Sent: Wednesday, June 02, 2004 3:24 PM
To: Coen Bakkers, Monitored Security
Cc: snort-sigs at ...1245...
Subject: Re: [Snort-sigs] WEB-FRONTPAGE /_vti_bin/ access rule question
to the community


What 2.0.x version of snort are you using and what SID and REV of the rule are 
you using?

Cheers,
-matt

Coen Bakkers, Monitored Security wrote:
> Hi,
> 
> In light of my GCIA practical, I am doing a comparative study between Snort 2.0.x and Snort 2.1.3 RC1, I discovered that the WEB-FRONTPAGE /_vti_bin/ access
> signature only triggers when the Metasploit Frontpage fp30reg.dll Chunked Encoding exploit is run against Snort 2.1.3RC1, Snort 2.0.x does not detect it although the rule seems to be the same, the rule group is activated as well. Settings seem to be the same in snort.conf.
> 
> Does anyone know why, i think it might have to do with some changes of the preprocessors, however I am not sure.
> 
> Thanks for your help,
> 
> Regards
> 
> Coen Bakkers
> Security Analyst
> Symantec, Berlin SOC
> +49 1805 444 725
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g. 
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id149&alloc_id?66&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 





More information about the Snort-sigs mailing list