[Snort-users] How to detect drive letters accessed?
Sheahan, Paul (PCLN-NW)
Paul.Sheahan at ...2218...
Wed Jan 16 15:02:08 EST 2002
Thanks Phil. What exactly does "|4b3a5c|" signify? If I want to use
different drive letters etc, how would this appear in a rule? It would be
nice to be able to create these myself but I'm not sure how you came up with
this! Any info would be appreciated!
From: Phil Wood [mailto:cpw at ...440...]
Sent: Wednesday, January 16, 2002 5:34 PM
To: Sheahan, Paul (PCLN-NW)
Cc: Snort List (E-mail)
Subject: Re: [Snort-users] How to detect drive letters accessed?
On Wed, Jan 16, 2002 at 05:19:37PM -0500, Sheahan, Paul (PCLN-NW) wrote:
> Running Snort 1.8.1 B78 on RH Linux 7.0.
> Using Snort, I am trying to detect when someone accesses a certain drive
> one of my servers. For example if I have a server that has a drive letter
> that no one from the outside world should see or be accessing, I'd like to
> create a rule in Snort that checks for "K:\" in a packet. The trouble is,
> can't just create a rule that searches for "K:\" because the rule doesn't
> work. I think the colon screws it up or something. Someone in this forum
> once mentioned putting some type of code in for the colon and backslash
> instead such as creating a rule to look for "K|C3A|" or something like
> but all recommendations from that person failed.
> Does anyone know how I can create a rule to search for "K:\" (can be any
> drive letter....it's the colon and backslash that are important)?
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Phil Wood, cpw at ...440...
More information about the Snort-users