PS: [Snort-users] Snort Newbie
jwithrow at ...422...
Sat Sep 15 23:49:01 EDT 2001
Ok, I think that is the problem, I need to define the IP's as External
I am guessing (Don't laugh, I am pretty new at this) that the $EXTERNAL
var should be my global internet NIC IP and $INTERNAL should be my
intranet 192.168.x.x NIC?
Also, how does one make any sense out of the packets? This looks pretty
Greek to me.
[**] IDS552/web-iis_IIS ISAPI Overflow ida [**]
09/16-02:55:00.611575 0:30:80:5D:7F:8C -> 0:10:B5:4:13:41 type:0x800
126.96.36.199:1198 -> 188.8.131.52:80 TCP TTL:124 TOS:0x0 ID:51642 IpLen:20
***A**** Seq: 0xF79A6595 Ack: 0xF0C2A391 Win: 0x4470 TcpLen: 20
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Jason
Sent: Sunday, September 16, 2001 2:52 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort Newbie
Hi, I just installed the 1.8 win32 build of Snort on a win2k Server.
I have having a difficult time getting the rule sets to work.
I think, that I don't have the rules set up properly.
Do I need to define $INTERNAL and $EXTERNAL as ip/ports somewhere?
This is just for my home box.
Here is the sample rule I am trying to get to work.
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS552/web-iis_IIS ISAPI
Overflow ida"; dsize: >239; flags: A+; uricontent: ".ida?"; classtype:
system-or-info-attempt; reference: arachnids,552;)
Thanks for any help, it is greatly appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users