Jack Pepper wrote:
If this was how you imagined our setup then please try to explain the
above in another way.
Starting over ....
Good idea. :-)
I believe your IP address obfuscation is blurring the analysis.
Please repost the rule definition and the original packet again. This
time change only the second octet of the IP addresses. Defining both
ends of the conversation as both being on the "10." network is messy.
We'll just start over.
alert
Jul 7 13:37:00 syslogserver snort: [1:12256:1] WEB-CLIENT Excel
malformed FBI record [Classification: Attempted User Privilege Gain]
[Priority: 1]: {TCP} 80.xx.86.40:80 -> 195.xx.18.18:15968
rules/web-client.rules
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
Excel malformed FBI record"; flow:from_server,established;
flowbits:isset,xls.download; content:"`|10|";
byte_test:2,>,32767,6,relative; reference:cve,2007-1203;
reference:url,www.microsoft.com/technet/security/bulletin/ms07-023.mspx;
classtype:attempted-user; sid:12256; rev:1;)
Also please include the following line from your snort.conf: "var
HOME_NET ... "
var HOME_NET 80.xx.86.0/24
80.xx.86.40 = Our webserver on our lan, behind (next to) the Snort box
195.xx.18.18 = Some client on the Internet
--
Jesper S. Jensen
Basisnet og Sikkerhed
Uni-C - Århus, Danmark
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
