[Snort-users] Should snort react this way?
ronneilc at ...4042...
Fri Jan 4 21:33:02 EST 2002
Hi to everyone on the list.
I would just like to confirm if snort should really behave this way. I configured
snort with flexresp. I added "resp: rst_all" on a rule in web-iis and attack-responses
rule that is related to cmd.exe and http dir listing.
I attacked my default installation of IIS server (unicode) then I was still able to
see the dir listings but snort, fortunately send a RST to both parties.
The parameter that I used was scripts/..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\+/s
My question is, why is it that I was still able to see a dir listing of about
30%-40% of the complete listing before my internet browser sensed a RST?
More information about the Snort-users