[Snort-users] Should snort react this way?

Ronneil Camara ronneilc at ...4042...
Fri Jan 4 21:33:02 EST 2002


Hi to everyone on the list.

I would just like to confirm if snort should really behave this way. I configured
snort with flexresp. I added "resp: rst_all" on a rule in web-iis and attack-responses
rule that is related to cmd.exe and http dir listing.

I attacked my default installation of IIS server (unicode) then I was still able to
see the dir listings but snort, fortunately send a RST to both parties.

The parameter that I used was scripts/..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\+/s

My question is, why is it that I was still able to see a dir listing of about
30%-40% of the complete listing before my internet browser sensed a RST?

Thanks.

Neil




More information about the Snort-users mailing list