Re: snort question
On Thu, Nov 16, 2000 at 01:57:58PM +0100, Michael Meskes wrote:
> Is there any documentation that gives some detailed information about the
> events snort logs? I've installed it to test it a little bit but haven't
> found time yet. But today I got this:
The IDS Numebrs are from whitehats.com, the CVE Numbers are from CVE
The snort stats script has some shortcommings, one is the cutting off of the
description line and the port numbers, so have a look in your syslog to see
the full message, which would be:
3ecki@calista:~> grep IDS244 /etc/snort/*
/etc/snort/webmisc-lib:alert tcp !$HOME_NET any -> $HOME_NET 2301
(msg:"IDS244 - CVE-1999-0771 - Compaq-insight-dot-dot"; content: "../";)
http://www.whitehats.com/IDS/244
...
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0771
Name
CVE-1999-0771
Description
The web components of Compaq Management
Agents and the Compaq Survey Utility allow a
remote attacker to read arbitrary files via a .. (dot
dot) attack.
References
BUGTRAQ:19990526 Infosec.19990526.compaq-im.a
COMPAQ:SSRT0612U
XF:management-agent-file-read
Gruss
Bernd
Reply to: