[Snort-users] Curse of the cmd.exe

Sam Evans sam at ...5202...
Thu Jun 13 17:28:06 EDT 2002


I was wondering if there is any way to alter a signature (maybe by using the
dynamic rules?) to have it record when a cmd.exe attempt on port 80 is
followed by the server's 200 OK ?

It seems pointless to me, to log 10,000 cmd.exe attempts from outside hosts,
when you don't know what the actual outcome was..  Sure, you have to go to
your webserver logs to find out the real result, but, with all the Nimda /
Codered still going on..   That makes for a very long day of log searching.

Does anyone have suggestions for a solution?  Is there one?  It seems like
it should be really easy to do.. in theory..

Thanks,
Sam






More information about the Snort-users mailing list