[Snort-users] Snort+MySql=OK. But why...

Tom Whipp twhipp at ...63...
Tue Nov 21 09:31:56 EST 2000


I know that the ftp bad login rule logs the OUTBOUND packet containing the
bad login message... it seems to be very easy to get into the mindset of
dest IP must be the target of any attack because the vast majority of rules
detect queries and attacks.

Of course some of the rules detect "symptoms" of attacks rather than the
attack itself such as with your ftp bad login rule (and I suspect login but
since I don't get those from outside my own network I wouldn't know *grin*).

Maybe the signature messages could do with including a tag indicating if the
"target" is the source or destination address in this packet.

anyway while I'm sending a mail I might as well ask a question as well.  I'm
seeing LOTS of head requests to my servers, I've looked into it and all of
the packets I've looked at come from proxy servers (usually checking the
modification date of images).

The rules in question are:

alert TCP !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode
4- HEAD"; content: "HEAD"; nocase; offset: 0; depth: 4; dsize: >512; )
alert TCP !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode
4- head"; content: "|6865 6164|"; offset: 0; depth: 4; dsize: >512; )

I'm wondering if the dsize entry is wrong - should it read < instead of >?
I'd assume that Wisker requests are usually a bit smaller than those of a
real browser because there won't be so many headers and associated crap.

anyway - that's my 0.02 sterling for today.

	Tom




More information about the Snort-users mailing list