[Snort-users] Curse of the cmd.exe

M. Burnett mburnett at ...448...
Mon Jun 17 20:10:20 EDT 2002


Here are some additional attack response strings I use when watching
IIS web servers.

c:\winnt
c:\inetpub
Microsoft Windows 2000 [Version 5.00.2195]
command completed successfully
The system cannot find the path specified.
File Not Found
Bad command or filename
is not recognized as an internal or external command
Sub Application_OnStart   (tells you if someone views global.asa)

I also make the following changes to attack-responses.rules
change "1 file(s) copied" to "file(s) copied"
change "Index of /cgi-bin/" to "Index of /"


Mark Burnett
www.xato.net



On Fri, 14 Jun 2002 08:14:45 -0500, Matt Yackley wrote:
>Not sure about the dynamic rules, but a simpler form is the attack
>response rules, but it may not be what you are looking for...here is
>the rule to see if a "dir" command was succesful from a web server:
>alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"ATTACK
>RESPONSES directory listing"; content:"Directory of"; nocase;
>flags:A+;
>flow:from_server; classtype:unknown; sid:496; rev:4;)
>
>It doesn't tie in that close to the attempts but, you could just
>watch for the attack response alerts instead of worrying to much
>about the cmd.exe type alerts.
>
>Matt
>
>-----Original Message-----
>From: Sam Evans [mailto:sam at ...5202...]
>Sent: Thursday, June 13, 2002 7:28 PM To: snort
>-users at lists.sourceforge.net Subject: [Snort-users] Curse of the
>cmd.exe
>
>
>I was wondering if there is any way to alter a signature (maybe by
>using the dynamic rules?) to have it record when a cmd.exe attempt
>on port 80 is followed by the server's 200 OK ?
>
>It seems pointless to me, to log 10,000 cmd.exe attempts from
>outside hosts, when you don't know what the actual outcome was..
>Sure, you have to go to your webserver logs to find out the real
>result, but, with all the Nimda / Codered still going on..   That
>makes for a very long day of log searching.
>
>Does anyone have suggestions for a solution?  Is there one?  It
>seems like it should be really easy to do.. in theory..
>
>Thanks, Sam
>
>
>
>_______________________________________________________________
>
>Don't miss the 2002 Sprint PCS Application Developer's Conference
>August 25-28 in Las Vegas -
>http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink
>
>_______________________________________________ Snort-users mailing
>list Snort-users at lists.sourceforge.net Go to this URL to change user
>options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort
>-users
>
>_______________________________________________________________
>
>Don't miss the 2002 Sprint PCS Application Developer's Conference
>August 25-28 in Las Vegas -
>http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink
>
>_______________________________________________ Snort-users mailing
>list Snort-users at lists.sourceforge.net Go to this URL to change user
>options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort
>-users









More information about the Snort-users mailing list