[Snort-users] Re: downloading rules from snort.org while snort is running on your server.

Frontgate Lab mdiwan at ...200...
Fri Oct 12 09:13:11 EDT 2001


 Ah.. Thank you Matthew,

 I think I like that.. even if its redundant... i'm surprised that the
download did not trigger any other alerts though.. given the contents of
the snort rules tarballs.


Matthew Collins wrote:
> 
> All the snort rule is doing is looking for the content
> 
> window.open("readme.eml"
> 
> coming from a web server. As the rule matches itself, downloading the rule from a web server will trigger the rule. Note, only the first rule will match, the second will not, as it checks URI content, not just any content.
> 
> >>> "Frontgate Lab" <mdiwan at ...200...> 12/10/01 16:45:23 >>>
> Yes i did download rules from snort.org  BUT.. why would that trigger
> the readme.eml content alert?
> 
> [root at ...3795... snort]# cat web-misc.rules | grep readme.eml
> alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml
> autoload attempt"; flags:A+; content:"window.open(\"readme.eml\"";
> nocase; classtype:attempted-user; sid:1290; rev:3;
> reference:url,www.cert.org/advisories/CA-2001-26.html;)
> alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml
> attempt"; flags:A+; uricontent:"readme.eml"; nocase;
> classtype:attempted-user; sid:1284; rev:3;
> reference:url,www.cert.org/advisories/CA-2001-26.html;)
> 
> Madhav
> 
> Matthew Collins wrote:
> >
> > Look at the source port. 80 -> YourIP:35434.
> >
> > Been downloading some rules from the snort web site?
> >
> > >>> "Frontgate Lab" <mdiwan at ...200...> 12/10/01 16:02:13 >>>
> > Hiya .. errm.. i think this is bad... i belive it is nimda:
> >
> > Oct 11 11:48:35 fglab snort[4483]: [1:1284:3] WEB-MISC readme.eml
> > attempt [Classification: Attempted User Privilege Gain] [Priority: 8]:
> > {TCP} 151.196.107.166:80 -> 192.168.150.203:35434
> >
> > nslookup results:
> >
> >  nslookup 151.196.107.166
> > Note:  nslookup is deprecated and may be removed from future releases.
> > Consider using the `dig' or `host' programs instead.  Run nslookup with
> > the `-sil[ent]' option to prevent this message from appearing.
> > Server:         207.150.196.199
> > Address:        207.150.196.199#53
> >
> > Non-authoritative answer:
> > 166.107.196.151.in-addr.arpa    name = snort.sourcefire.com.
> >
> > Authoritative answers can be found from:
> > 166.107.196.151.in-addr.arpa    nameserver = ns1.sourcefire.com.
> > 166.107.196.151.in-addr.arpa    nameserver = ns2.sourcefire.com.
> > ns1.sourcefire.com      internet address = 151.196.107.164
> > ns2.sourcefire.com      internet address = 151.196.107.165
> >


Note: The information contained in this message may be privileged and confidential and protected from disclosure.  If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.  Thank you.  Wagner Weber & Williams




More information about the Snort-users mailing list