|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: archana rao (archuatdavis_at_yahoo.com)
Date: Thu Oct 17 2002 - 13:45:27 CDT
When I use Snort to detect the attacks towards an IIS
server which uses the URI:
GET /scripts/..%c0%af../winnt/system32/cmd.exe/c+"
why does it raise the alert:
"WEB--IIS cmd.exe access" with sid:1002 that looks for
content:"cmd.exe"
and not the alert:
"WEB-IIS File permission canonicalization" with
sid:981 that looks for
uricontent:"/scripts/..%c0%af../"?
Archana
--- Chris Green <cmg
snort.org> wrote:
> archana rao <archuatdavisyahoo.com> writes:
>
> > The site http://www.infosys.tuwien.ac.at/snort-ng/
> mentions that
> > "For some strange reason, Snort stops the
> detection process for a
> > packet after the first matching rule - maybe to
> improve performance"
> > while talking about snort-ng. Is this the way it
> works in
> > Snort-1.9.0 too?
>
> For Snort-1.9.x yes.
>
> For Snort-2.0, no.
>
> There was a first exit match strategy first. The
> strange reason was
> once you got something you care about, why bother
> keeping going on and
> let the ruleset editors worry about rule ordering.
>
> If you're looking at snort-ng, look at the HEAD
> snort branch too.
> You'll be pleasantly suprised if you have the
> facilities to compare
> the two.
>
> > In what order are the rules matched against the
> incoming packets?Is
> > it the order in which they are listed in the
> *.rules file? Archana
>
> Look through the mailing list archives for a
> description of the
> RTN/OTN parsing.
> --
> Chris Green <cmgsourcefire.com>
> To err is human, to moo bovine.
>
>
>
-------------------------------------------------------
> This sf.net email is sponsored by: viaVerio will pay
> you up to
> $1,000 for every account that you consolidate with
> us.
> http://ad.doubleclick.net/clk;4749864;7604308;v?
> http://www.viaverio.com/consolidator/osdn.cfm
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com
-------------------------------------------------------
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]