[Snort-sigs] Newbie knucklehead can't get a custom rule to alert

Nigel Houghton nigel at ...435...
Wed Jun 23 16:08:05 EDT 2004

On  0, tony at ...2576... allegedly wrote:
> It is a .NET web service client sending a request which at the point of
> capture is headed for MSMQ, The packet(s) include information with user
> names and passwords that I would rather not share ;)

Understandable :)

> I could try sending a completly bogus request and see if it makes it that
> far.

Good, give that a try. You can obfuscate the ip address information if you
log the data with Snort. Use the -O option to do this. Have Snort log in
tcpdump format to a file and dump all the data, snort -h will show the
available options for doing this.

> Basically I want to log attempts at XML / SQL injection even though the
> app would be validating the input to prevent it from going anywhere.


Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.

More information about the Snort-sigs mailing list