1

I have set up an free evaluation Confluence Server on my local host and have configured "snort.conf" to point to my localhost as "HOME_NET" environment variable.

I tried to test the ICMP rule by running "ping localhost" and I immediately see output in /var/log/snort/alert file. So I know the ICMP rule works correctly.

However, I cannot get any of the "web-attacks.rules" to work. For example, how do I test this rule? 

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"WEB-ATTACKS uname -a command attempt"; flow:to_server,established; content:"uname%20-a"; nocase; classtype:web-application-a

ttack; sid:1331; rev:5;)

I would appreciate all / any advise in testing any of the "web-attacks.rules". In fact, if someone could point me to a test script that triggers all the "web-attacks.rules" that would be ideal.

Thanks.

user1068636
  • 295
  • 3
  • 10
  • You might find [my answer to a previous question](http://security.stackexchange.com/questions/15238/testing-a-snort-ids-installation/15240#15240) helpful. (Athough I don't think this is necessarily a dupe.) – Graham Hill Nov 18 '12 at 18:46

1 Answers1

0

Usually people use a web application firewall to detect/prevent these attacks. mod_security is an open source WAF.

Any web application vulnerability scanner should do the trick. Skipfish and wapiti are both open source web application vulnerability scanners.

rook
  • 46,916
  • 10
  • 92
  • 181