[Snort-users] Testing Snort

Charles Heselton charles.heselton at ...11827...
Sun Aug 1 21:20:12 EDT 2004


----- Original Message -----
From: Jody Gilbert <jdg at ...12210...>
Date: Sun, 1 Aug 2004 21:24:29 +0100
Subject: [Snort-users] Testing Snort
To: snort-users at lists.sourceforge.net

 

Hello All, 

I have just installed snort for the first time and am trying to test
it from my PC.

I am having trouble testing the web-iis rules. 

I have tried accessing /msadcs.dll and /cmd.exe on some of the web
servers on our LAN, but no alerts are created by snort.

I added the following rule Snort as a test, which produced plenty of alerts: 

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Test WEB-IIS";
flow:to_server; sid:1970; rev:6;)

However, when I add 'uricontent:"/msadcs.dll"; nocase;' to the above
rule I do not get any alerts.

I am new to Snort, so I imagine (hope) it's something pretty simple. 

Can anyone point me in the right direction? 

I am running Snort 2.1.3 on a Windows XP PC. 

Cheers, 

Jody 
 

-------------------------------------------------------------------------
  
 Jody Gilbert
 IT Manager
  

Taken from the Snort User's Guide (available for download/reading at
www.snort.org):
 
The uricontent parameter in the snort rule language searches the
NORMALIZED request URI field. This means that if you are writing rules
that include things that are normalized, such as %2f or directory
traversals, these rules will not alert. The reason is that the things
you are looking for are normalized out of the URI buffer.


Try using the "content" directive, instead of the "uricontent"
directive.  I believe the types of events that you are trying to
detect would be classified as directory traversals, even though you
are looking for specific strings.

-- 
Charlie Heselton
Network Security Engineer




More information about the Snort-users mailing list