[Snort-users] Making snort smarter...

Paul Schmehl pauls at ...6838...
Tue Apr 29 12:12:08 EDT 2003


I see exactly what you mean, but that's easily fixed.

$HTTP_SERVERS = [ip1,ip2,ip3,$IIS_SERVERS]

--On Tuesday, April 29, 2003 01:49:24 PM -0500 bmcdowell at ...7861... 
wrote:

> No, you misunderstand me.  Reverse it.  Do none of the other rules
> detect things that effect IIS?  For example, there's  web-attacks,
> web-cgi, etc.  In fact here's the number of times '$HTTP_SERVERS' is
> found in the ruleset I have:
>
> ATTACK-RESPONSES.RULES: 12
> DELETED.RULES: 12
> DOS.RULES: 1
> MISC.RULES: 2
> WEB-ATTACKS.RULES: 47
> WEB-CGI.RULES: 296
> WEB-COLDFUSION.RULES: 35
> WEB-FRONTPAGE.RULES: 34
> WEB-IIS.RULES: 113
> WEB-MISC.RULES: 261
> WEB-PHP.RULES: 15
>
> So, if you make it so something in '$IISSERVERS' is not in
> '$HTTP_SERVERS', tons of rules no longer apply.  Not simply the ones in
> web-iis.  This may have a undesired impact...

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-users mailing list