Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Alerts question

From: Scott Zawalski <scott.zawalski () web de>
Date: Fri, 16 Jul 2004 08:51:44 -0700
Snort will be able to detect it while it is being infected. It just parses packets, meaning the packet is already on its way to the machine. There is no positive or negative if the machine is actually infected though. Snort is just detecting the attack.
What do you mean by Nessus detects this? If you mean Nessus detects if a machine is vulnerable then that is because it is a non-passive security scanner and these results can only be obtained via non-passive scanning. Something Snort was not intended for. 


Scott

Randy Ramsdell wrote:




Scott Zawalski wrote:
If you are using the standard rule set then you should see some trips on the readme.eml content:
Rules 1284 and 1290. (http://www.snort.org/cgi-bin/sigs-search.cgi?sid=readme.eml)
As far as a specific CodeRed sid only 1256 applies for CodeRed v2 rule and it looks for /root.exe uricontent 
(http://www.snort.org/snort-db/sid.html?sid=1256)

Scott
That is what I thought, but somehow the infected systems do not trigger snort. Obviously there is something amiss, but I can't figure it out. I will have to look into this in detail because I want to know when a "non" infectable system even goes to a site that is infected. Nessus was able to detect this. 

What does it take for snort to detect?
Does the "readme.eml" have to infect a system before snort detects it? Or will snort be able to detect before infection? 

RCR
RCR



Randy Ramsdell wrote:
I have been getting scanned daily by a host that is infected with "code red". Obviously a web server is running on it and I went there and found the typical script trying to push "readme.eml." 

So, shouldn't snort catch this?
I just need to know if it should without getting into specifics of my configuration.
I read that snort should detect "code red" if you go the the sight, but I am not sure if this is true. 










-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: