[Snort-users] How to Triggering Windows Exploits?

ids at ...8382... ids at ...8382...
Tue May 25 15:32:01 EDT 2004


Hi Joshua,

Your answer is a little bit different from what I was asking. Let me elaborate a little. Are the rules written in a way that requires a targeted computer have to respond to an attack or something of that nature for Snort to issue an alert. I have yet to see my Snort sensor alert me to any MS exploits (various network worms such as Sasser, blaster...etc) . I assumed the reason for this was because there are no Windows PC connected to the network Snort is sensing on. Another test I ran to see if Snort would issue an alert was the Cisco exploits. I do not have any Cisco devices on my network but I attempted to trigger an alert my hitting an IP on the protected network with the PERL script. No alerts. Do I have to have the appropriate Cisco deivce to trigger the alert? Just a side note I'm using the most current rules for Snort (inluding the rules to detect the Cisco exploits) for testing and information gathering.


Any help on this I would greatly appreciate!


Alan

----- Original Message -----
From: Joshua Berry <jberry at ...11848...>
Date: Tuesday, May 25, 2004 1:39 pm
Subject: RE: [Snort-users] How to Triggering Windows Exploits?

> Snort will not verify OS or Services running on the target machine
> unless you patch it with something like the Attack Verification patch
> that uses Nessus to verify actual vulnerabilities of the target.
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [snort-users-admin at lists.sourceforge.net] On Behalf Of
> ids at ...8382...
> Sent: Tuesday, May 25, 2004 2:46 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] How to Triggering Windows Exploits?
> 
> Hi everyone-
> 
> 
> I have a simple question. Is it true that some Snort alerts are only
> triggered if the target computer is vulnerable to that attack? To 
> be a
> little more specific... if an attacks targets an exploit in 
> Windows 2000
> and I only have Linux running in my network will Snort alert me to 
> thoseWindows attacks? The reason I ask is because I have a Snort 
> sensordetecting detecting attacks against a Linux box running 
> Apache. I
> noticed that the only attacks I detect are SQL, HTTP and Linux 
> related.About a week ago for a brief time an associate put a 
> Windows 2k box off
> of the hub and I started to get hit with these Alerts I had never seen
> before (MS Exploits). I want to capture more data on the amount of
> exploits attacks on Windows and was wondering for me to gather 
> that data
> would I have to have a Windows computer on the network Snort is 
> sensing?Thanks in advance!
> 
> 
> Alan     
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... 
> Oracle 10g.
> 
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list