[Snort-users] Testing Snort

Jody Gilbert JDG at ...12210...
Mon Aug 2 00:32:04 EDT 2004


Thanks for the tip, I have tried using content="/msadcs.dll", but I still
don't get any alerts.

Cheers,
Jody

-----Original Message-----
From: Charles Heselton [mailto:charles.heselton at ...11827...] 
Sent: 02 August 2004 05:20
To: Jody Gilbert
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Testing Snort

----- Original Message -----
From: Jody Gilbert <jdg at ...12210...>
Date: Sun, 1 Aug 2004 21:24:29 +0100
Subject: [Snort-users] Testing Snort
To: snort-users at lists.sourceforge.net

 

Hello All, 

I have just installed snort for the first time and am trying to test
it from my PC.

I am having trouble testing the web-iis rules. 

I have tried accessing /msadcs.dll and /cmd.exe on some of the web
servers on our LAN, but no alerts are created by snort.

I added the following rule Snort as a test, which produced plenty of alerts:


alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Test WEB-IIS";
flow:to_server; sid:1970; rev:6;)

However, when I add 'uricontent:"/msadcs.dll"; nocase;' to the above
rule I do not get any alerts.

I am new to Snort, so I imagine (hope) it's something pretty simple. 

Can anyone point me in the right direction? 

I am running Snort 2.1.3 on a Windows XP PC. 

Cheers, 

Jody 
 

-------------------------------------------------------------------------
  
 Jody Gilbert
 IT Manager
  

Taken from the Snort User's Guide (available for download/reading at
www.snort.org):
 
The uricontent parameter in the snort rule language searches the
NORMALIZED request URI field. This means that if you are writing rules
that include things that are normalized, such as %2f or directory
traversals, these rules will not alert. The reason is that the things
you are looking for are normalized out of the URI buffer.


Try using the "content" directive, instead of the "uricontent"
directive.  I believe the types of events that you are trying to
detect would be classified as directory traversals, even though you
are looking for specific strings.

-- 
Charlie Heselton
Network Security Engineer


*************** NOTICE & DISCLAIMER *************************

This email and any files transmitted with it are confidential and will be protected by copyright and are for the attention of the addressee only.  This email may also be privileged.

If you have received this email in error please notify us by email reply and delete it from your system.  
You may not copy this message or disclose its contents to anyone.  Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Ovum.  Ovum accepts no liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided, unless you are the intended recipient and such liability accords with Ovum's Terms and Conditions of Business.  

If you are not the intended recipient, please note that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

Ovum accepts no liability for any damage caused by any virus transmitted by this email. 

Registered Office: Ovum Holdings Limited, Cardinal Tower, 12 Farringdon Road, London EC1M 3HS, United Kingdom

*******************************************************************





More information about the Snort-users mailing list