[Snort-users] What am I Protecting Against?

Roy S. Rapoport snort-users at ...9230...
Mon Jun 2 17:33:06 EDT 2003


Sorry, couldn't come up with something wittier.

Now that I've got ACID running, I'm attempting to make sure I understand
what alerts I'm seeing and why I'm seeing them.  Obvious, ain't it?

My goal is to get to the point that I log all things reasonably
considered intrusions or recon, but to only alert on things that are
actually threats -- in other words, I don't want to know at 2am that
someone's trying to compromise my MS SQL Server, since it's running on
UNIX and isn't MS SQL.  Oh, and it's not available to the net :). 

So I'm trying to figure out what some rules are actually trying to
protect me against; sometimes, there are references to actual docs that
make this obvious; sometimes, the rule documentation covers it.
However, some rules are still undocumented.  So for example, I give you
SID 1852:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt access"; flow:to_server,established; uricontent:"/robots.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; sid:1852; rev:3;) 

As I see it, this alerts you of any attempts by anyone to access
/robots.txt on your HTTP server.

So hey, maybe I'm an idiot, but why? Trying to get /robots.txt is a
simple part of any search engine that spiders your site.  _I_ don't see
it as a security issue at all.  Am I missing something?

And, more generally, is there a way to find out, essentially, what the
rule writer was thinking when they came up with the rule?

-roy




More information about the Snort-users mailing list