[Snort-users] Snort not loggin hack attempts

Santoro, David david.santoro at ...178...
Tue Jun 25 10:14:06 EDT 2002


Paul

What pre-preprocessors are running?  Do you have both the http-Decode 80 and
the Unidecode 80 active?  I have been doing some lab experiments with
unicode and it seems that both need to be running for Snort to detect
unicode even though by the preprocessor descriptions only one of them needs
to be.

>We get loads of attempts every day and I was trying snort as an alternative
real time detection system.  I've currently downloaded the latest windows
build of snort and am running it on Windows XP.  Whilst it is running, it
doesn't seem to be detecting any of the attacks.  In particular, as you can
see from the log file snippet below, it doesn't detect unicode exploit
attempts we get all the time which I have seem a module for in the config
file. =20 2002-06-23 13:25:19 212.239.197.17 - 192.168.0.30 80 GET
/scripts/root.exe /c+dir 404 3396 72 - - - 2002-06-23 13:25:23
212.239.197.17 - 192.168.0.30 80 GET /MSADC/root.exe /c+dir 404 3396 70 - -
- 2002-06-23 13:25:34 212.239.197.17 - 192.168.0.30 80 GET
/c/winnt/system32/cmd.exe /c+dir 404 3396 80 - - - 2002-06-23 13:25:37
212.239.197.17 - 192.168.0.30 80 GET /d/winnt/system32/cmd.exe /c+dir 404
3396 80 - - - 2002-06-23 13:25:39 212.239.197.17 - 192.168.0.30 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 3396 96 - - - 2002-06-23
13:25:41 212.239.197.17 - 192.168.0.30 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 500 0 117 -
- - 2002-06-23 13:25:43 212.239.197.17 - 192.168.0.30 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 3396 117
- - -


The system is on the same hub as the gateway, so it should be able to see
this as incomming tragffic before it reaches the switch.

My config file is as per the defaults.

Any pointers as to why this isn't working?

Thanks,
=20
Paul





More information about the Snort-users mailing list