Snort mailing list archives
Re: Configuration issue
From: John Sage <jsage () finchhaven com>
Date: Sat, 22 Sep 2001 21:43:49 -0700
Just a thought: Do you actually have active any rules that will detect CodeRed or Nimda? When I do this: [toot@greatwall /usr/local/snort-1.8.1-RELEASE]# grep 'CodeRed' *.rules All I get is this: web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg: "WEB-IIS CodeRed v2 root.exeaccess"; flags: A+; uricontent:"scripts/root.exe?"; nocase; classtype: attempted-admin; sid: 1257; rev: 1;)
So there's only this one rule in the default rules (at least for Build 74 of 1.8.1-RELEASE on Linux), and of course there would be *nothing* for Nimda, unless you added it yourself, Nimda being so new and all...
- John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." DJDave Sobel wrote:
Snort Users: Need a little help... I believe I have everything configured correctly... having built and installed snort 1.8.1, I have it running and configured for my network. My network is divided into three majorsubnets, one with publically addressable IPs, and two private blocks.Despite the fact that I'm seeing multiple CodeRed and Nimba attacks in the web server logs, Snort does not seem to see them -- or certainly doesn't report them. I'm not using anything more than the standard ruleset, so I'm not sure what I'm doing wrong. I've included my snort.conf below, and I execute snort with this command: /usr/local/bin/snort -c /usr/local/snort/snort.conf -dD I have removed the -dD and verified that snort does run, and with the -dD I can see it in the process list. Can anyone help? Dave
<sir snip-a-lot> _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Configuration issue DJDave Sobel (Sep 22)
- Re: Configuration issue John Sage (Sep 22)
- Re: Configuration issue Brian (Sep 23)
- Configuration issue, Part II DJDave Sobel (Sep 23)
- Re: Configuration issue, Part II Erek Adams (Sep 23)
- RE: Configuration issue, Part II DJDave Sobel (Sep 24)
- Re: Configuration issue, Part II Chris Keladis (Sep 24)
- -i switch Matthew Francis (Sep 24)
- Re: Configuration issue, Part II Chris Keladis (Sep 24)
- Re: Configuration issue, Part II Erek Adams (Sep 24)
- RE: Configuration issue, Part II DJDave Sobel (Sep 24)
- RE: Configuration issue, Part II DJDave Sobel (Sep 24)
- Configuration issue, Part II DJDave Sobel (Sep 23)