Snort mailing list archives
Re: Making snort smarter...
From: Jason <security () brvenik com>
Date: Tue, 29 Apr 2003 22:28:18 -0400
I'm going to disagree with this thinking only to add a point of consideration.
Many times a vulnerability found in one application is found to affect the other in a similar asn possibly slightly different way some time later.
Take for example access to the NUL device on a MS platform. It affected apache too if it was running on a MS platform. If it is classified as an IIS issue and then applied to only IIS servers Apache dies and you miss it.
Of course it would be expected that the rule be revisited once something is found to affect a different platform/application but generally speaking the services tend to be vulnerable to similar attacks.
for MS _only_ services I can possibly see this justification but then again there is no certaintly that Apache or some other web service does not allow the vulnerability to manifest itself either. If the rule fires quite often then a somple change will tune it out.
It is a trade off that should be made with careful consideration and planning and ultimately requires research and tuning appropriate to the environment.
Paul Schmehl wrote:
Sure. All the web-iis.rules apply only to IIS. Why would I want alerts for apache running on Solaris when the attack only works on IIS?CodeRed, Nimda, etc. all only affect IIS. Right now all my webservers alert for that stuff, when the only ones I care about are IIS servers. An attacker can pound all day on an apache server looking for iissamples. Why would I care?--On Tuesday, April 29, 2003 10:49:20 AM -0500 bmcdowell () coxhealthplans com wrote:Not that I couldn't just look and find out for myself, but: Are there any 'web' rules that you want alerting for IIS servers? Obviously the reverse is the issue, but would such a fix break anything else? -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Paul Schmehl Sent: Tuesday, April 29, 2003 9:49 AM To: Jason Haar; snort-users () lists sourceforge net Subject: Re: [Snort-users] Making snort smarter... Sure, I could do that, and then I'd have to cron it so that after oinkmaster replaces the rules they get fixed again. Wouldn't it be simpler to just incorporate this as a change to the ruleset? That way it's fixed for everyone. --On Tuesday, April 29, 2003 09:03:50 PM +1200 Jason Haar <Jason.Haar () trimble co nz> wrote:Paul Schmehl wrote:For the specific example you give I think it would be entirely appropriate to create a var called "$IIS_SERVERS" and then put allthe*other* webservers under $HTTP_SERVERS. I've suggested this before,andI'd love to see it implemented in the rules, because IIS is a beastuntoitself.Good idea - but as all IIS rules are within web-iis.rules, why notjustscript a rewrite? echo "var IIS_SERVERS [1.2.3.4/32,2.3.4.1/32]" sed 's/HTTP_SERVERS/IIS_SERVERS/g' web-iis.rules Jason ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-usersPaul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-usersPaul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Making snort smarter... Tobias Rice (Apr 28)
- Re: Making snort smarter... Paul Schmehl (Apr 28)
- Re: Making snort smarter... Jason Haar (Apr 29)
- Re: Making snort smarter... Paul Schmehl (Apr 29)
- Re: Making snort smarter... Jason Haar (Apr 29)
- Re: Making snort smarter... Jason Haar (Apr 29)
- Re: Making snort smarter... Jason Haar (Apr 29)
- Re: Making snort smarter... Paul Schmehl (Apr 28)
- <Possible follow-ups>
- RE: Making snort smarter... bmcdowell (Apr 29)
- RE: Making snort smarter... Paul Schmehl (Apr 29)
- Re: Making snort smarter... Jason (Apr 29)
- RE: Making snort smarter... Paul Schmehl (Apr 29)
- RE: Making snort smarter... bmcdowell (Apr 29)
- RE: Making snort smarter... Paul Schmehl (Apr 29)
- Re: Making snort smarter... JP Vossen (Apr 29)