[Snort-users] Curse of the cmd.exe

MOLLOY, Brendan, GCM Brendan.Molloy at ...6109...
Mon Jun 17 20:10:16 EDT 2002


Sam Evans wrote:

> I was wondering if there is any way to alter a signature (maybe by 
> using the dynamic rules?) to have it record when a cmd.exe attempt on 
> port 80 is followed by the server's 200 OK ?

Use URLSCAN on the web servers and block any URL with cmd.exe.  You won't
have to worry about the server giving a 200 OK.

-Brendan


-----Original Message-----
From: Chris Keladis [mailto:Chris.Keladis at ...2783...] 
Sent: Friday, June 14, 2002 5:30 AM
To: Sam Evans; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Curse of the cmd.exe


Sam Evans wrote:

> I was wondering if there is any way to alter a signature (maybe by 
> using the dynamic rules?) to have it record when a cmd.exe attempt on 
> port 80 is followed by the server's 200 OK ?
 >
> Does anyone have suggestions for a solution?  Is there one?  It seems 
> like it should be really easy to do.. in theory..

I'd say you could use dynamic rules to achieve what you require, for now.

Have a cmd.exe rule that chains to another rule which checks for a 200 
OK from the webserver before it issues a final verdict on an alert.

According to the Snort docs on www.snort.org it seems dynamic rules will 
be phased out in favour of 'rule tagging' which i'd guess explains why 
rule chaining isn't used much in the current Snort ruleset (just my 
assumption, anyway).

Also the (upcoming) flow module might be of assistance to you here as 
well (http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.36).

Snort v2.0 sounds very promising :-)




Regards,

Chris.


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference August
25-28 in Las Vegas -
http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


**********************************************************************
This e-mail is intended only for the addressee named above.
As this e-mail may contain confidential or privileged information,
if you are not the named addressee, you are not authorised to
retain, read, copy or disseminate this message or any part of it.
************************************************************************
 




More information about the Snort-users mailing list