[Snort-users] Curse of the cmd.exe

Chris Keladis Chris.Keladis at ...2783...
Fri Jun 14 02:32:03 EDT 2002

Sam Evans wrote:

> I was wondering if there is any way to alter a signature (maybe by using the
> dynamic rules?) to have it record when a cmd.exe attempt on port 80 is
> followed by the server's 200 OK ?
> Does anyone have suggestions for a solution?  Is there one?  It seems like
> it should be really easy to do.. in theory..

I'd say you could use dynamic rules to achieve what you require, for now.

Have a cmd.exe rule that chains to another rule which checks for a 200 
OK from the webserver before it issues a final verdict on an alert.

According to the Snort docs on www.snort.org it seems dynamic rules will 
be phased out in favour of 'rule tagging' which i'd guess explains why 
rule chaining isn't used much in the current Snort ruleset (just my 
assumption, anyway).

Also the (upcoming) flow module might be of assistance to you here as 
well (http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.36).

Snort v2.0 sounds very promising :-)



More information about the Snort-users mailing list