Hi all!
Boris Lorenz wrote:
. . .
You´re right, there´s no such thing like stateful inspection with ipchains, you
should use snort as well if you want to tap into the flow of packets. The
latest snortrules contain attack signatures for the Unicode exploit/cmd.exe,
but you should be able to construct some default.ida-rules yourself. Writing
snort rules is not too difficult and heavily documented. Just take a look at
http://www.snort.org .
. . .
<bashful-stolen-from-another-list>
Subject: Snort sigs
Date: Wed, 19 Sep 2001 13:10:03 +0100
from: "JustinMacCarthy"
FYI There seems to be a few added already
http://www.snort.org/downloads/snortrules.tar.gz
some NOT all ->
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS CodeRed v2
root.exe access"; flags: A+; uricontent:"scripts/root.exe?"; nocase;
classtype: attempted-admin; sid: 1256; rev: 1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS outlook web
dos"; flags:A+; uricontent:"/exchange/LogonFrm.asp?"; nocase;
content:"mailbox="; nocase; content:"|25 25 25|"; classtype:attempted-dos;
reference:bugtraq,3223; sid:1283; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS msdac access";
flags:A+; uricontent:"/msdac/"; nocase; classtype:bad-unknown; sid:1285;
rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS _mem_bin
access"; flags:A+; uricontent:"/_mem_bin/"; nocase; classtype:bad-unknown;
sid:1286; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS scripts
access"; flags:A+; uricontent:"/scripts/"; nocase; classtype:bad-unknown;
sid:1287; rev:1;)
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml
attempt"; flags:A+; uricontent:"readme.eml"; nocase; classtype:bad-unknown;
sid:1284; rev:1;)
~J
</bashful-stolen-from-another-list>
Hope that helps
--
best greetings from
Solingen /GERMANY
Dieter Hürten