Snort mailing list archives
Revisting Nimda specific logging
From: Subba Rao <subba9 () home com>
Date: Thu, 11 Oct 2001 15:32:15 -0400
Ok. I am going to revist this problem once again. Thanks to Andrew Baker
I could get part of it resolved.
This is the way I am invoking Snort on my Slackware 8 system.
snort -D -bo -g snort -u snort -i eth2 -t /usr/local/snort -l ./logs -c etc/snort.conf -A fast -z est 2>&1
The snort.conf has default settings for the most part.
The VARs have my network settings. There are hosts/segments
that I have defined to ignore. The only addition is to add the
nimda specific rules.
======== SNORT.CONF =========
ruletype nimda
{
type alert
output alert_fast: nimda.log
}
config order: nimda activation dynamic alert log pass
include nimda.rules
======== END SNORT.CONF =========
======== NIMDA.RULES ========
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS multiple \
decode attempt"; flags:A+; uricontent:"%5c"; uricontent:".."; \
reference:cve,CAN-2001-0333;classtype:attempted-user; sid:970; rev:2;)
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS msdac \
access"; flags:A+; uricontent:"/msdac/"; nocase; classtype:bad-unknown; \
sid:1285; rev:1;)
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS _mem_bin \
access"; flags:A+; uricontent:"/_mem_bin/"; nocase; classtype:bad-unknown; \
sid:1286; rev:1;)
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS scripts \
access"; flags:A+; uricontent:"/scripts/"; nocase; classtype:bad-unknown; \
sid:1287; rev:1;)
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe \
access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; \
sid:1002; rev:1;)
nimda udp any any -> any 69 (msg:"TFTP GET Admin.dll"; content: "|41 64 6D \
69 6E 2E 64 6C 6C 00 6F 63 74 65 74|"; classtype:successful-admin; \
sid:1289; rev:1; reference:url,www.cert.org/advisories/CA-2001-26.html;)
nimda tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml \
autoload attempt"; flags:A+; content:"window.open("readme.eml""; nocase; \
classtype:attempted-user; sid:1290; rev:2; \
reference:url,www.cert.org/advisories/CA-2001-26.html;)
nimda tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml \
attempt"; flags:A+; uricontent:"readme.eml"; nocase; \
classtype:attempted-user; sid:1284; rev:3; \
reference:url,www.cert.org/advisories/CA-2001-26.html;)
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE \
/_vti_bin/ access";flags: A+; uricontent:"/_vti_bin/"; nocase; \
classtype:bad-unknown; sid:1288; rev:1;)
======== END NIMDA.RULES ========
I have even added "logto" option at the end of the rule. Event that
is not making a difference.
======== NIMDA.RULES ========
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS multiple \
decode attempt"; flags:A+; uricontent:"%5c"; \
uricontent:"..";reference:cve,CAN-2001-0333;classtype:attempted-user; \
sid:970; rev:2; logto: "nimda.log";)
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS msdac \
access"; flags:A+; uricontent:"/msdac/"; nocase; classtype:bad-unknown; \
sid:1285; rev:1; logto: "nimda.log";)
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS _mem_bin \
access"; flags:A+; uricontent:"/_mem_bin/"; nocase; classtype:bad-unknown; \
sid:1286; rev:1; logto: "nimda.log";)
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS scripts \
access"; flags:A+; uricontent:"/scripts/"; nocase; classtype:bad-unknown; \
sid:1287; rev:1; logto: "nimda.log";)
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe \
access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; \
sid:1002; rev:1; logto: "nimda.log";)
nimda udp any any -> any 69 (msg:"TFTP GET Admin.dll"; content: "|41 64 6D \
69 6E 2E 64 6C 6C 00 6F 63 74 65 74|"; classtype:successful-admin; \
sid:1289; rev:1; reference:url,www.cert.org/advisories/CA-2001-26.html; \
logto: "nimda.log";)
nimda tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml \
autoload attempt"; flags:A+; content:"window.open("readme.eml""; nocase; \
classtype:attempted-user; sid:1290; rev:2; \
reference:url,www.cert.org/advisories/CA-2001-26.html; logto: "nimda.log";)
nimda tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml \
attempt"; flags:A+; uricontent:"readme.eml"; nocase; \
classtype:attempted-user; sid:1284; rev:3; \
reference:url,www.cert.org/advisories/CA-2001-26.html; logto: "nimda.log";)
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE \
/_vti_bin/ access";flags: A+; uricontent:"/_vti_bin/"; nocase; \
classtype:bad-unknown; sid:1288; rev:1; logto: "nimda.log";)
======== END NIMDA.RULES ========
Bottom line question, Where is my nimda.log? What am I doing wrong in
this configuration?
Thank you in advance for any solution.
--
Subba Rao
subba9 () home com http://members.home.net/subba9/
OpenPGP/GPG public key ID CCB7344E
=> Time is relative. Here is a new way to look at time. <=
http://www.smcinnovations.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Nimda specific logging Subba Rao (Oct 10)
- Re: Nimda specific logging Andrew R. Baker (Oct 10)
- Re: Nimda specific logging Subba Rao (Oct 11)
- Re: Nimda specific logging Andrew R. Baker (Oct 11)
- Re: Nimda specific logging Subba Rao (Oct 11)
- Re: Nimda specific logging Subba Rao (Oct 11)
- Re: Nimda specific logging Subba Rao (Oct 11)
- Re: Nimda specific logging Andrew R. Baker (Oct 10)
- Revisting Nimda specific logging Subba Rao (Oct 11)