[Snort-sigs] sigs to catch response traffic

Jason Brvenik jason.brvenik at ...435...
Mon Jul 18 07:07:05 EDT 2005


This topic was a thread a few months back. fowbits will easily allow 
what you want. Problem is that in the case of a compromise the attacker 
simply has to return a 404 before opening a shell back to you and you 
will be none the wiser.


Russell Fulton wrote:
> Hi, does stream4 collect both directions of a flow?  I.e. is it possible 
> to have a set of signatures that tags a flow (standard http attack) and 
> then watched for a 200 response from the web server.
> 
> I assume that the answer is no otherwise we would be diong this as a 
> matter of routine.
> 
> It long ago got to the stage where I ignore the flood of altert 
> generated by people poking at our web servers.  The fact that some poked 
> at our web server is of no interest at all.  The fact that someone poked 
> at the web server and the server did not return an error is of interest.
> 
> Perhaps this could be built into a preprocessor that returns the status 
> on an http connections.
> 
> Russell
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 




More information about the Snort-sigs mailing list