[Snort-sigs] Newbie knucklehead can't get a custom rule to alert

tony at ...2576... tony at ...2576...
Wed Jun 23 15:58:04 EDT 2004


It is a .NET web service client sending a request which at the point of
capture is headed for MSMQ, The packet(s) include information with user
names and passwords that I would rather not share ;)
I could try sending a completly bogus request and see if it makes it that
far.
Basically I want to log attempts at XML / SQL injection even though the
app would be validating the input to prevent it from going anywhere.

-Tony

> On  0, tony at ...2576... allegedly wrote:
>> Yes I am, there are several packet that go through as part of a complete
>> request and response, I am interested in the one particular packet that
>> has "evil_hacker_string" in it.
>> Please note the things I've tried included changing and ommitting the
>> flow
>> portion of the rule.
>
> Is it possible for you to give us more information on how you are
> generating the traffic and/or if possible, send a tcpdump packet capture
> of
> your generated traffic?
>
> -------------------------------------------------------------
> Nigel Houghton       Research Engineer        Sourcefire Inc.
>                  Vulnerability Research Team
>
> In an emergency situation involving two or more officers of equal rank,
> seniority will be granted to whichever officer can program a vcr.
>





More information about the Snort-sigs mailing list