Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ramen worm and Snort log entry

From: Subba Rao <subba9 () home com>
Date: Sun, 17 Jun 2001 11:21:23 +0000
On  0, Brian Caswell <bmc () mitre org> wrote:

Subba Rao wrote:

The following are the preprocessors in the snort.conf file. I have changed the
IP addresses of the systems/network here.

====================================================================
var INTERNAL  192.168.1.0/24
var EXTERNAL !$INTERNAL
var DNS_SERVERS 192.168.1.5/24

preprocessor http_decode: 80 8080
preprocessor minfrag: 128
preprocessor portscan: 1.1.1.1/2 5 3 portscan.log
preprocessor portscan-ignorehosts: 192.168.1.0/24

#include /usr/security/snort/etc/snort-vision.conf

output alert_full: alert
====================================================================

Why is Snort not logging any information about these trojan related alerts?


Because you don't have any rules listed there.  Uncomment the include
statement
and try again.



There is a huge set of rules below the "output alert_full: alert" line. The
include statement include MaxVision's rule set. The current configuration file
has the default snort rule set and "include"s the MaxVision's rule set. The
default file and MaxVision's file do include the Ramen worm rule. It is kinda
redundant but I have left them in the file.

-- 

Subba Rao
subba9 () home com
http://members.home.net/subba9/

GPG public key ID 27FC9217
Key fingerprint = 2B4C 498E 1860 5A2B 6570  5852 7527 882A 27FC 9217

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: