[Snort-users] Testing Snort with Blade IDS Informer

Holger Mense holger at ...13256...
Wed Apr 27 13:41:48 EDT 2005


I did some further research.

* Holger Mense <holger at ...13256...>:

> Now I have recently tested my snort sensor (using snort 2.3.2 and latest snort 
> rules) with Blade Softwares IDS Informer demo version.
> However, I was a bit disappointed about the results. Besides the back orifice 
> and the two portscan attempts, my sensor didn't detect anything else of the 
> remaining 7 attacks provided by IDS Informer.
> In detail it didn't detect
>  - TCP DNS Zone Transfer
As stated in another email in this thread, I am able to see UDP DNS Zone 
Transfer alerts from real DNS servers.

>  - IIS htr Buffer Overflow
After editing the rule "WEB-IIS ism.dll attempt" and changing 'uricontent:" 
.htr"' in 'uricontent:".htr"' I am able to see this attack.

>  - traceroute attempt
I have just checked my logs. I have already "ICMP traceroute" alerts in my 
logs. However my sensor does not detect the one from IDS Informer.

So is any one here, who uses IDS Informer for testing his sensor? Is this 
person using the basic snort rule set (current version)? 

Thank you for your answers,

Holger Mense
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050427/d65686da/attachment.sig>

More information about the Snort-users mailing list