[Snort-users] Problems with web-iis rules

Erek Adams erek at ...950...
Mon Jul 7 12:43:05 EDT 2003

On Mon, 7 Jul 2003, Josue Souza wrote:

> I have a FreeBSD 4.8 box with snort-2.0.0 installed (with
> mysql-server-4.0.13_1 and acid-0.9.6b23), everything installed from the
> ports collection. Snort is loggin to a MySQL database and to the
> /var/log/snort/alerts file. I was testing the detection of attack
> attempts and noticed that some are detected and others not. For exemple,
> when I try to connect to TCP port 8080 on the snort box from my
> workstation I get an alert SCAN Proxy (8080) but when I try, for
> example, a URL pattern found in web-iis.rules, lets say
> http://mysnortbox/scripts/repost.asp, there is no alert.
> Any advices on what is going on? I'm sorry if this is a silly question,
> but I'm new with snort (although I have some experience with other IDSs
> such as Enterasys' Dragon) and I didn't find any documentation on this
> subject.

First look at the rule:

repost.asp access"; flow:to_server,established;
uricontent:"/scripts/repost.asp"; nocase; reference:nessus,10372;
classtype:web-application-activity; sid:1076; rev:6;)

Notice that 'flow' statement?  That's the reason.  The your test isn't
part of an established session.  If that was removed, then the rule would
work like you expect.

Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list