[Snort-users] Stupid rule question

Brian Caswell bmc at ...312...
Mon Mar 26 15:30:47 EST 2001


On Mon, Mar 26, 2001 at 11:50:24AM -0700, Ryan Russell wrote:
> So, I'm looking at some of the rules on the snort.org site, and there are
> several like this under the WEB-MISC category:
> 
> alert tcp $EXTERNAL_NET 80 -> $HTTP_SERVERS any (msg:"WEB-MISC telnet
> attempt";flags: A+; content:"telnet.exe"; nocase;)
> 
> My question has to do with the port numbers.  If I'm reading this right,
> the rule is looking for packets from outside, from TCP port 80, to your
> web servers, on any port.  By my thinking, this implies your web servers
> acting as web clients to outside machines.  And, it's looking for
> telnet.exe in the content, implying that your web server has downloaded a
> page with that in it.  I'm not even sure what exploit this would be for...
> any client-side holes I would expect to use telnet:// instead.
> 
> If the any and 80 were reversed, it would make sense to me... it would be
> watching for an attempt to call telnet.exe on your web server.

Well, this rule is junk all the way around.  You are correct that the
ports are mixed up in this case, but the rule needs to be axed in
general.

-- 
Brian Caswell
The MITRE Corporation




More information about the Snort-users mailing list