[Snort-users] Making snort smarter...
pauls at ...6838...
Tue Apr 29 12:12:08 EDT 2003
I see exactly what you mean, but that's easily fixed.
$HTTP_SERVERS = [ip1,ip2,ip3,$IIS_SERVERS]
--On Tuesday, April 29, 2003 01:49:24 PM -0500 bmcdowell at ...7861...
> No, you misunderstand me. Reverse it. Do none of the other rules
> detect things that effect IIS? For example, there's web-attacks,
> web-cgi, etc. In fact here's the number of times '$HTTP_SERVERS' is
> found in the ruleset I have:
> ATTACK-RESPONSES.RULES: 12
> DELETED.RULES: 12
> DOS.RULES: 1
> MISC.RULES: 2
> WEB-ATTACKS.RULES: 47
> WEB-CGI.RULES: 296
> WEB-COLDFUSION.RULES: 35
> WEB-FRONTPAGE.RULES: 34
> WEB-IIS.RULES: 113
> WEB-MISC.RULES: 261
> WEB-PHP.RULES: 15
> So, if you make it so something in '$IISSERVERS' is not in
> '$HTTP_SERVERS', tons of rules no longer apply. Not simply the ones in
> web-iis. This may have a undesired impact...
Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
More information about the Snort-users