[Snort-users] Making snort smarter...

bmcdowell at ...7861... bmcdowell at ...7861...
Tue Apr 29 11:49:04 EDT 2003


No, you misunderstand me.  Reverse it.  Do none of the other rules
detect things that effect IIS?  For example, there's  web-attacks,
web-cgi, etc.  In fact here's the number of times '$HTTP_SERVERS' is
found in the ruleset I have:

ATTACK-RESPONSES.RULES: 12
DELETED.RULES: 12
DOS.RULES: 1
MISC.RULES: 2
WEB-ATTACKS.RULES: 47
WEB-CGI.RULES: 296
WEB-COLDFUSION.RULES: 35
WEB-FRONTPAGE.RULES: 34
WEB-IIS.RULES: 113
WEB-MISC.RULES: 261
WEB-PHP.RULES: 15

So, if you make it so something in '$IISSERVERS' is not in
'$HTTP_SERVERS', tons of rules no longer apply.  Not simply the ones in
web-iis.  This may have a undesired impact...

Do you see what I mean?

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Paul
Schmehl
Sent: Tuesday, April 29, 2003 10:58 AM
To: Bob McDowell; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Making snort smarter...

w
Sure.  All the web-iis.rules apply only to IIS.  Why would I want alerts

for apache running on Solaris when the attack only works on IIS?

CodeRed, Nimda, etc. all only affect IIS.  Right now all my webservers 
alert for that stuff, when the only ones I care about are IIS servers.
An 
attacker can pound all day on an apache server looking for iissamples.
Why 
would I care?

--On Tuesday, April 29, 2003 10:49:20 AM -0500
bmcdowell at ...7861... 
wrote:

> Not that I couldn't just look and find out for myself, but:
>
> Are there any 'web' rules that you want alerting for IIS servers?
>
> Obviously the reverse is the issue, but would such a fix break
anything
> else?
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Paul
> Schmehl
> Sent: Tuesday, April 29, 2003 9:49 AM
> To: Jason Haar; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Making snort smarter...
>
>
> Sure, I could do that, and then I'd have to cron it so that after
> oinkmaster replaces the rules they get fixed again.
>
> Wouldn't it be simpler to just incorporate this as a change to the
> ruleset?
> That way it's fixed for everyone.
>
> --On Tuesday, April 29, 2003 09:03:50 PM +1200 Jason Haar
> <Jason.Haar at ...294...> wrote:
>
>> Paul Schmehl wrote:
>>> For the specific example you give I think it would be entirely
>>> appropriate to create a var called "$IIS_SERVERS" and then put all
> the
>>> *other* webservers under $HTTP_SERVERS.  I've suggested this before,
> and
>>> I'd love to see it implemented in the rules, because IIS is a beast
> unto
>>> itself.
>>
>> Good idea - but as all IIS rules are within web-iis.rules, why not
> just
>> script a rewrite?
>>
>> echo "var IIS_SERVERS [1.2.3.4/32,2.3.4.1/32]"
>> sed 's/HTTP_SERVERS/IIS_SERVERS/g' web-iis.rules
>>
>>
>> Jason
>>
>>
>>
>> -------------------------------------------------------
>> This sf.net email is sponsored by:ThinkGeek
>> Welcome to geek heaven.
>> http://thinkgeek.com/sf
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> Paul Schmehl (pauls at ...6838...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list