RE: correlating alerts with action required

["Wirth, Jeff" <WirthJe () DNB com>]

Mike,

> So I've got my snort sensor running, watching traffic
> from the ISP.  A firewall limits ports and access to a
> web server.  I log many 'accesses' or 'attempts' (from
> the rule definitions) for all the various IIS
> vulnerabilities.  I was curious about a rule in the
> web-iis.rules file that was alerting me when someone
> tried to access cmd.exe.  I went to the log on the IIS
> server and found the event, and it returned a 404. 
> Fine, good answer.  I know that system is patched and
> up to date.
>
> My fairly basic question is, how can you tell if (and
> how) a host responded to one of these probes and is a
> canidate for compromise ?

Take a look at the "attack-response.rules".  These will alert you to web
servers responding in a *BAD* way to things like directory listing
requests...There is also a rule for "403 Forbidden" responses in
"web-misc.rules".

- Jeff

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users