Snort mailing list archives
Re: Ramen worm and Snort log entry
From: Subba Rao <subba9 () home com>
Date: Sun, 17 Jun 2001 11:21:23 +0000
On 0, Brian Caswell <bmc () mitre org> wrote:
Subba Rao wrote:The following are the preprocessors in the snort.conf file. I have changed the IP addresses of the systems/network here. ==================================================================== var INTERNAL 192.168.1.0/24 var EXTERNAL !$INTERNAL var DNS_SERVERS 192.168.1.5/24 preprocessor http_decode: 80 8080 preprocessor minfrag: 128 preprocessor portscan: 1.1.1.1/2 5 3 portscan.log preprocessor portscan-ignorehosts: 192.168.1.0/24 #include /usr/security/snort/etc/snort-vision.conf output alert_full: alert ==================================================================== Why is Snort not logging any information about these trojan related alerts?Because you don't have any rules listed there. Uncomment the include statement and try again.
There is a huge set of rules below the "output alert_full: alert" line. The include statement include MaxVision's rule set. The current configuration file has the default snort rule set and "include"s the MaxVision's rule set. The default file and MaxVision's file do include the Ramen worm rule. It is kinda redundant but I have left them in the file. -- Subba Rao subba9 () home com http://members.home.net/subba9/ GPG public key ID 27FC9217 Key fingerprint = 2B4C 498E 1860 5A2B 6570 5852 7527 882A 27FC 9217 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Ramen worm and Snort log entry Subba Rao (Jun 17)
- Re: Ramen worm and Snort log entry Brian Caswell (Jun 17)
- Re: Ramen worm and Snort log entry Subba Rao (Jun 17)
- Re: Ramen worm and Snort log entry Brian Caswell (Jun 17)