[Snort-users] How to Triggering Windows Exploits?

James Riden j.riden at ...11179...
Tue May 25 18:09:07 EDT 2004

ids at ...8382... writes:

> Hi Joshua,
> Your answer is a little bit different from what I was asking. Let me
> elaborate a little. Are the rules written in a way that requires a
> targeted computer have to respond to an attack or something of that
> nature for Snort to issue an alert. I have yet to see my Snort
> sensor alert me to any MS exploits (various network worms such as
> Sasser, blaster...etc) . I assumed the reason for this was because
> there are no Windows PC connected to the network Snort is sensing
> on. 

If you haven't got any Windows boxes, you sometimes won't be able to
establish a TCP session, e.g for port 1900,1500,445 etc. so most of
the rules won't fire.

If you're running stuff like samba, you should still be able to see
warnings about connecting to IPC$, or if you've got Apache, the IIS
rules will happily alert you to attempted cmd.exe accesses, etc. And
you may see stuff like Slammer worm packets because that's UDP and
doesn't need a session established.

James Riden / j.riden at ...11179... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/

More information about the Snort-users mailing list