[Snort-users] Making snort smarter...

Paul Schmehl pauls at ...6838...
Tue Apr 29 09:19:23 EDT 2003


Sure.  All the web-iis.rules apply only to IIS.  Why would I want alerts 
for apache running on Solaris when the attack only works on IIS?

CodeRed, Nimda, etc. all only affect IIS.  Right now all my webservers 
alert for that stuff, when the only ones I care about are IIS servers.  An 
attacker can pound all day on an apache server looking for iissamples.  Why 
would I care?

--On Tuesday, April 29, 2003 10:49:20 AM -0500 bmcdowell at ...7861... 
wrote:

> Not that I couldn't just look and find out for myself, but:
>
> Are there any 'web' rules that you want alerting for IIS servers?
>
> Obviously the reverse is the issue, but would such a fix break anything
> else?
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Paul
> Schmehl
> Sent: Tuesday, April 29, 2003 9:49 AM
> To: Jason Haar; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Making snort smarter...
>
>
> Sure, I could do that, and then I'd have to cron it so that after
> oinkmaster replaces the rules they get fixed again.
>
> Wouldn't it be simpler to just incorporate this as a change to the
> ruleset?
> That way it's fixed for everyone.
>
> --On Tuesday, April 29, 2003 09:03:50 PM +1200 Jason Haar
> <Jason.Haar at ...294...> wrote:
>
>> Paul Schmehl wrote:
>>> For the specific example you give I think it would be entirely
>>> appropriate to create a var called "$IIS_SERVERS" and then put all
> the
>>> *other* webservers under $HTTP_SERVERS.  I've suggested this before,
> and
>>> I'd love to see it implemented in the rules, because IIS is a beast
> unto
>>> itself.
>>
>> Good idea - but as all IIS rules are within web-iis.rules, why not
> just
>> script a rewrite?
>>
>> echo "var IIS_SERVERS [1.2.3.4/32,2.3.4.1/32]"
>> sed 's/HTTP_SERVERS/IIS_SERVERS/g' web-iis.rules
>>
>>
>> Jason
>>
>>
>>
>> -------------------------------------------------------
>> This sf.net email is sponsored by:ThinkGeek
>> Welcome to geek heaven.
>> http://thinkgeek.com/sf
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> Paul Schmehl (pauls at ...6838...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-users mailing list