[Snort-users] Problems with web-iis rules

Erek Adams erek at ...950...
Mon Jul 7 12:43:05 EDT 2003


On Mon, 7 Jul 2003, Josue Souza wrote:

> I have a FreeBSD 4.8 box with snort-2.0.0 installed (with
> mysql-server-4.0.13_1 and acid-0.9.6b23), everything installed from the
> ports collection. Snort is loggin to a MySQL database and to the
> /var/log/snort/alerts file. I was testing the detection of attack
> attempts and noticed that some are detected and others not. For exemple,
> when I try to connect to TCP port 8080 on the snort box from my
> workstation I get an alert SCAN Proxy (8080) but when I try, for
> example, a URL pattern found in web-iis.rules, lets say
> http://mysnortbox/scripts/repost.asp, there is no alert.
>
> Any advices on what is going on? I'm sorry if this is a silly question,
> but I'm new with snort (although I have some experience with other IDSs
> such as Enterasys' Dragon) and I didn't find any documentation on this
> subject.

First look at the rule:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
repost.asp access"; flow:to_server,established;
uricontent:"/scripts/repost.asp"; nocase; reference:nessus,10372;
classtype:web-application-activity; sid:1076; rev:6;)


Notice that 'flow' statement?  That's the reason.  The your test isn't
part of an established session.  If that was removed, then the rule would
work like you expect.

Cheers!
-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list