[Snort-users] Curse of the cmd.exe

Matt Yackley Matt.Yackley at ...5858...
Fri Jun 14 06:18:03 EDT 2002

Not sure about the dynamic rules, but a simpler form is the attack response
rules, but it may not be what you are looking for...here is the rule to see
if a "dir" command was succesful from a web server:
directory listing"; content:"Directory of"; nocase; flags:A+;
flow:from_server; classtype:unknown; sid:496; rev:4;)

It doesn't tie in that close to the attempts but, you could just watch for
the attack response alerts instead of worrying to much about the cmd.exe
type alerts.


-----Original Message-----
From: Sam Evans [mailto:sam at ...5202...]
Sent: Thursday, June 13, 2002 7:28 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Curse of the cmd.exe

I was wondering if there is any way to alter a signature (maybe by using the
dynamic rules?) to have it record when a cmd.exe attempt on port 80 is
followed by the server's 200 OK ?

It seems pointless to me, to log 10,000 cmd.exe attempts from outside hosts,
when you don't know what the actual outcome was..  Sure, you have to go to
your webserver logs to find out the real result, but, with all the Nimda /
Codered still going on..   That makes for a very long day of log searching.

Does anyone have suggestions for a solution?  Is there one?  It seems like
it should be really easy to do.. in theory..



Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list