[Snort-users] Curse of the cmd.exe
Chris.Keladis at ...2783...
Fri Jun 14 02:32:03 EDT 2002
Sam Evans wrote:
> I was wondering if there is any way to alter a signature (maybe by using the
> dynamic rules?) to have it record when a cmd.exe attempt on port 80 is
> followed by the server's 200 OK ?
> Does anyone have suggestions for a solution? Is there one? It seems like
> it should be really easy to do.. in theory..
I'd say you could use dynamic rules to achieve what you require, for now.
Have a cmd.exe rule that chains to another rule which checks for a 200
OK from the webserver before it issues a final verdict on an alert.
According to the Snort docs on www.snort.org it seems dynamic rules will
be phased out in favour of 'rule tagging' which i'd guess explains why
rule chaining isn't used much in the current Snort ruleset (just my
Also the (upcoming) flow module might be of assistance to you here as
Snort v2.0 sounds very promising :-)
More information about the Snort-users