Snort mailing list archives
Revisting Nimda specific logging
From: Subba Rao <subba9 () home com>
Date: Thu, 11 Oct 2001 15:32:15 -0400
Ok. I am going to revist this problem once again. Thanks to Andrew Baker I could get part of it resolved. This is the way I am invoking Snort on my Slackware 8 system. snort -D -bo -g snort -u snort -i eth2 -t /usr/local/snort -l ./logs -c etc/snort.conf -A fast -z est 2>&1 The snort.conf has default settings for the most part. The VARs have my network settings. There are hosts/segments that I have defined to ignore. The only addition is to add the nimda specific rules. ======== SNORT.CONF ========= ruletype nimda { type alert output alert_fast: nimda.log } config order: nimda activation dynamic alert log pass include nimda.rules ======== END SNORT.CONF ========= ======== NIMDA.RULES ======== nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS multiple \ decode attempt"; flags:A+; uricontent:"%5c"; uricontent:".."; \ reference:cve,CAN-2001-0333;classtype:attempted-user; sid:970; rev:2;) nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS msdac \ access"; flags:A+; uricontent:"/msdac/"; nocase; classtype:bad-unknown; \ sid:1285; rev:1;) nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS _mem_bin \ access"; flags:A+; uricontent:"/_mem_bin/"; nocase; classtype:bad-unknown; \ sid:1286; rev:1;) nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS scripts \ access"; flags:A+; uricontent:"/scripts/"; nocase; classtype:bad-unknown; \ sid:1287; rev:1;) nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe \ access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; \ sid:1002; rev:1;) nimda udp any any -> any 69 (msg:"TFTP GET Admin.dll"; content: "|41 64 6D \ 69 6E 2E 64 6C 6C 00 6F 63 74 65 74|"; classtype:successful-admin; \ sid:1289; rev:1; reference:url,www.cert.org/advisories/CA-2001-26.html;) nimda tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml \ autoload attempt"; flags:A+; content:"window.open("readme.eml""; nocase; \ classtype:attempted-user; sid:1290; rev:2; \ reference:url,www.cert.org/advisories/CA-2001-26.html;) nimda tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml \ attempt"; flags:A+; uricontent:"readme.eml"; nocase; \ classtype:attempted-user; sid:1284; rev:3; \ reference:url,www.cert.org/advisories/CA-2001-26.html;) nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE \ /_vti_bin/ access";flags: A+; uricontent:"/_vti_bin/"; nocase; \ classtype:bad-unknown; sid:1288; rev:1;) ======== END NIMDA.RULES ======== I have even added "logto" option at the end of the rule. Event that is not making a difference. ======== NIMDA.RULES ======== nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS multiple \ decode attempt"; flags:A+; uricontent:"%5c"; \ uricontent:"..";reference:cve,CAN-2001-0333;classtype:attempted-user; \ sid:970; rev:2; logto: "nimda.log";) nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS msdac \ access"; flags:A+; uricontent:"/msdac/"; nocase; classtype:bad-unknown; \ sid:1285; rev:1; logto: "nimda.log";) nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS _mem_bin \ access"; flags:A+; uricontent:"/_mem_bin/"; nocase; classtype:bad-unknown; \ sid:1286; rev:1; logto: "nimda.log";) nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS scripts \ access"; flags:A+; uricontent:"/scripts/"; nocase; classtype:bad-unknown; \ sid:1287; rev:1; logto: "nimda.log";) nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe \ access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; \ sid:1002; rev:1; logto: "nimda.log";) nimda udp any any -> any 69 (msg:"TFTP GET Admin.dll"; content: "|41 64 6D \ 69 6E 2E 64 6C 6C 00 6F 63 74 65 74|"; classtype:successful-admin; \ sid:1289; rev:1; reference:url,www.cert.org/advisories/CA-2001-26.html; \ logto: "nimda.log";) nimda tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml \ autoload attempt"; flags:A+; content:"window.open("readme.eml""; nocase; \ classtype:attempted-user; sid:1290; rev:2; \ reference:url,www.cert.org/advisories/CA-2001-26.html; logto: "nimda.log";) nimda tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml \ attempt"; flags:A+; uricontent:"readme.eml"; nocase; \ classtype:attempted-user; sid:1284; rev:3; \ reference:url,www.cert.org/advisories/CA-2001-26.html; logto: "nimda.log";) nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE \ /_vti_bin/ access";flags: A+; uricontent:"/_vti_bin/"; nocase; \ classtype:bad-unknown; sid:1288; rev:1; logto: "nimda.log";) ======== END NIMDA.RULES ======== Bottom line question, Where is my nimda.log? What am I doing wrong in this configuration? Thank you in advance for any solution. -- Subba Rao subba9 () home com http://members.home.net/subba9/ OpenPGP/GPG public key ID CCB7344E => Time is relative. Here is a new way to look at time. <= http://www.smcinnovations.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Nimda specific logging Subba Rao (Oct 10)
- Re: Nimda specific logging Andrew R. Baker (Oct 10)
- Re: Nimda specific logging Subba Rao (Oct 11)
- Re: Nimda specific logging Andrew R. Baker (Oct 11)
- Re: Nimda specific logging Subba Rao (Oct 11)
- Re: Nimda specific logging Subba Rao (Oct 11)
- Re: Nimda specific logging Subba Rao (Oct 11)
- Re: Nimda specific logging Andrew R. Baker (Oct 10)
- Revisting Nimda specific logging Subba Rao (Oct 11)