Snort mailing list archives
Re: Alerts question
From: Scott Zawalski <scott.zawalski () web de>
Date: Fri, 16 Jul 2004 08:51:44 -0700
Snort will be able to detect it while it is being infected. It just parses packets, meaning the packet is already on its way to the machine. There is no positive or negative if the machine is actually infected though. Snort is just detecting the attack.
What do you mean by Nessus detects this? If you mean Nessus detects if a machine is vulnerable then that is because it is a non-passive security scanner and these results can only be obtained via non-passive scanning. Something Snort was not intended for.
Scott Randy Ramsdell wrote:
Scott Zawalski wrote:If you are using the standard rule set then you should see some trips on the readme.eml content:Rules 1284 and 1290. (http://www.snort.org/cgi-bin/sigs-search.cgi?sid=readme.eml)As far as a specific CodeRed sid only 1256 applies for CodeRed v2 rule and it looks for /root.exe uricontent(http://www.snort.org/snort-db/sid.html?sid=1256) ScottThat is what I thought, but somehow the infected systems do not trigger snort. Obviously there is something amiss, but I can't figure it out. I will have to look into this in detail because I want to know when a "non" infectable system even goes to a site that is infected. Nessus was able to detect this.What does it take for snort to detect?Does the "readme.eml" have to infect a system before snort detects it? Or will snort be able to detect before infection?RCR RCRRandy Ramsdell wrote:I have been getting scanned daily by a host that is infected with "code red". Obviously a web server is running on it and I went there and found the typical script trying to push "readme.eml."So, shouldn't snort catch this?I just need to know if it should without getting into specifics of my configuration.I read that snort should detect "code red" if you go the the sight, but I am not sure if this is true.
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alerts question Randy Ramsdell (Jul 13)
- RE: Alerts question Patrick S. Harper (Jul 14)
- Re: Alerts question Scott Zawalski (Jul 14)
- Message not available
- Re: Alerts question Scott Zawalski (Jul 16)
- Message not available