[Snort-users] Snort not loggin hack attempts

Paul J. Smith pjsmith at ...6161...
Tue Jun 25 04:20:05 EDT 2002


Hi,
 
We get loads of attempts every day and I was trying snort as an
alternative real time detection system.  I've currently downloaded the
latest windows build of snort and am running it on Windows XP.  Whilst
it is running, it doesn't seem to be detecting any of the attacks.  In
particular, as you can see from the log file snippet below, it doesn't
detect unicode exploit attempts we get all the time which I have seem a
module for in the config file.
 
2002-06-23 13:25:19 212.239.197.17 - 192.168.0.30 80 GET
/scripts/root.exe /c+dir 404 3396 72 - - -
2002-06-23 13:25:23 212.239.197.17 - 192.168.0.30 80 GET /MSADC/root.exe
/c+dir 404 3396 70 - - -
2002-06-23 13:25:34 212.239.197.17 - 192.168.0.30 80 GET
/c/winnt/system32/cmd.exe /c+dir 404 3396 80 - - -
2002-06-23 13:25:37 212.239.197.17 - 192.168.0.30 80 GET
/d/winnt/system32/cmd.exe /c+dir 404 3396 80 - - -
2002-06-23 13:25:39 212.239.197.17 - 192.168.0.30 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 3396 96 - - -
2002-06-23 13:25:41 212.239.197.17 - 192.168.0.30 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 500 0
117 - - -
2002-06-23 13:25:43 212.239.197.17 - 192.168.0.30 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 3396
117 - - -


The system is on the same hub as the gateway, so it should be able to
see this as incomming tragffic before it reaches the switch.

My config file is as per the defaults.

Any pointers as to why this isn't working?

Thanks,
 
Paul




This email or attachment(s) may contain confidential or legally privileged information intended for the sole use of the addressee(s). Any use, redistribution, disclosure, or reproduction of this message, except as intended, is prohibited. If you received this email in error, please notify the sender and remove all copies of the message, including any attachments. Any views or opinions expressed in this email (unless otherwise stated) may not represent those of Microtech Limited.

This email has been scanned for viruses by MailSafe.  For more infomation please visit http://www.microtech.co.gg/mailSafe


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020625/7f72a65a/attachment.html>


More information about the Snort-users mailing list