[Snort-users] MS12-063 Rule Triggering

Kochen, Joe joe.kochen at ...16008...
Wed Dec 12 17:45:48 EST 2012


Let me start this off with saying I'm a relative noob when it comes to analyzing rules and exactly how they are getting triggered. I'm not sure the best avenue on going about asking this question so bear with me. \\

With that said I have the MS12-063 rule enabled, I can successfully exploit this vulnerability on the monitored network going through the sensors (using the standard metasploit module). However an event/alert never triggers. The sensors appear to be catching other misc things (just in case it was an overall problem with the sensor). I've taken a packet capture of the traffic and found all the keywords in the rule in the tcp stream, I haven't drilled down far enough to actually be sure that all the other parameters would allow for the rule to trigger.

I imagine the issue could lie in many different places, but are there any specific global configuration settings that might make this happen? Where would I want to start looking? Please note that I'm using the Sourcefire 3D sensors with a defense center.

Appreciate it,

Joe


This email, including any attachments, is intended for the person(s) or company to whom it is addressed and may contain confidential and/or legally privileged information.  If you are not the intended recipient, please be advised that you have received this message in error and that unauthorized disclosure, forwarding, printing or copying of this information is strictly prohibited and may be unlawful. Please notify the sender immediately, either at the original sender's email address, or by calling 1-800-231-0801. For all other questions please contact the company operator at (816) 391-2700.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121212/1784d076/attachment.html>


More information about the Snort-users mailing list