Snort mailing list archives
RE: readme.eml coming from an apache RH web sever?
From: Steve Ochani <jpegny () optonline net>
Date: Sun, 16 Dec 2001 18:10:07 -0500
On 16 Dec 2001 at 15:09, Paul D. Shaffer wrote:
Your Snort will "see" all the Code Red and Nimda stuff even if you're running Apache. That's not to say it's "succeeding." Those worms look for http servers at port 80 and try to exploit anything they find (not smart enough to recognize IIS). Check your Apache logs and you should see it returning 404s as the exploits try to get non-existent stuff from your web server...
I don't think that's what meant. He shouldn't be seeing nimda probes *from* his own apache machine.
Paul -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of John Mulkerin Sent: Sunday, December 16, 2001 11:50 AM To: snort-users () lists sourceforge net Subject: [Snort-users] readme.eml coming from an apache RH web sever? I'm not real good at snort configuration but do have my HOME_NET set to my specific two home addresses (so I added a CIDR of 32). However, I see alerts from my 12.XXX.XXX.XX1 machine to my other home machine 12.XXX.XXX.XX2. Since I'm pretty sure the Nimda expoint is not running on a RedHat 7.2 with Apache, what am I doing wrong? Here is are a couple of the log entries 12/16-09:47:20.775485 [**] [1:1284:3] WEB-MISC readme.eml attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 12.XXX.XXX.XX1:80 -> 12.XXX.XXX.XX2:1670 12/16-09:47:20.799312 [**] [1:1284:3] WEB-MISC readme.eml attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 12.XXX.XXX.XX1:80 -> 12.XXX.XXX.XX2:1670 var HOME_NET [12.XXX.XXX.XX1/32,12.XXX.XXX.XX2/32] _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- readme.eml coming from an apache RH web sever? John Mulkerin (Dec 16)
- RE: readme.eml coming from an apache RH web sever? Paul D. Shaffer (Dec 16)
- RE: readme.eml coming from an apache RH web sever? Steve Ochani (Dec 16)
- RE: readme.eml coming from an apache RH web sever? Paul D. Shaffer (Dec 16)
- Re: readme.eml coming from an apache RH web sever? John Mulkerin (Dec 16)
- RE: readme.eml coming from an apache RH web sever? Steve Ochani (Dec 16)
- RE: readme.eml coming from an apache RH web sever? Paul D. Shaffer (Dec 16)