Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Making snort smarter...

From: Paul Schmehl <pauls () utdallas edu>
Date: Tue, 29 Apr 2003 14:11:30 -0500
I see exactly what you mean, but that's easily fixed.

$HTTP_SERVERS = [ip1,ip2,ip3,$IIS_SERVERS]
--On Tuesday, April 29, 2003 01:49:24 PM -0500 bmcdowell () coxhealthplans com wrote: 


No, you misunderstand me.  Reverse it.  Do none of the other rules
detect things that effect IIS?  For example, there's  web-attacks,
web-cgi, etc.  In fact here's the number of times '$HTTP_SERVERS' is
found in the ruleset I have:

ATTACK-RESPONSES.RULES: 12
DELETED.RULES: 12
DOS.RULES: 1
MISC.RULES: 2
WEB-ATTACKS.RULES: 47
WEB-CGI.RULES: 296
WEB-COLDFUSION.RULES: 35
WEB-FRONTPAGE.RULES: 34
WEB-IIS.RULES: 113
WEB-MISC.RULES: 261
WEB-PHP.RULES: 15

So, if you make it so something in '$IISSERVERS' is not in
'$HTTP_SERVERS', tons of rules no longer apply.  Not simply the ones in
web-iis.  This may have a undesired impact...


Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: