[Snort-users] How to Triggering Windows Exploits?

Alan ids at ...8382...
Wed May 26 02:02:40 EDT 2004


Let me see if I have this correct... If flow: to_server, established is part
of a rule and there is a service allowing this establishment (http, ftp,
SQL...etc) then I should see an alerts trigger regardless if I have a system
that can be affected such as your example with Apache and triggering IIS
alerts (Apache is advertising http port 80 allowing the established session
then Snort detects the IIS exploit and sends me an alert). I think the key
to this is the flow: to_server, established part of the rule. It now makes
total sense if I have this all correct.



I'm doing a (free) operating system (just a hobby, won't be big and
professional like gnu) for 386(486) AT clones.

Linus (torvalds at ...11786...)
Date: 1991-08-25 23:12:08 PST

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of James Riden
Sent: Tuesday, May 25, 2004 6:05 PM
To: ids at ...8382...
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] How to Triggering Windows Exploits?

ids at ...8382... writes:

> Hi Joshua,
> Your answer is a little bit different from what I was asking. Let me
> elaborate a little. Are the rules written in a way that requires a
> targeted computer have to respond to an attack or something of that
> nature for Snort to issue an alert. I have yet to see my Snort
> sensor alert me to any MS exploits (various network worms such as
> Sasser, blaster...etc) . I assumed the reason for this was because
> there are no Windows PC connected to the network Snort is sensing
> on.

If you haven't got any Windows boxes, you sometimes won't be able to
establish a TCP session, e.g for port 1900,1500,445 etc. so most of
the rules won't fire.

If you're running stuff like samba, you should still be able to see
warnings about connecting to IPC$, or if you've got Apache, the IIS
rules will happily alert you to attempted cmd.exe accesses, etc. And
you may see stuff like Slammer worm packets because that's UDP and
doesn't need a session established.

James Riden / j.riden at ...11179... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/

This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list