[Snort-sigs] Newbie knucklehead can't get a custom rule to alert

Nigel Houghton nigel at ...435...
Wed Jun 23 16:08:05 EDT 2004


On  0, tony at ...2576... allegedly wrote:
> It is a .NET web service client sending a request which at the point of
> capture is headed for MSMQ, The packet(s) include information with user
> names and passwords that I would rather not share ;)

Understandable :)

> I could try sending a completly bogus request and see if it makes it that
> far.

Good, give that a try. You can obfuscate the ip address information if you
log the data with Snort. Use the -O option to do this. Have Snort log in
tcpdump format to a file and dump all the data, snort -h will show the
available options for doing this.

> Basically I want to log attempts at XML / SQL injection even though the
> app would be validating the input to prevent it from going anywhere.

ok

-------------------------------------------------------------
Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.




More information about the Snort-sigs mailing list