Snort mailing list archives
Demarc issues
From: Dennis Henderson <hendo () hendohome com>
Date: Tue, 09 Oct 2001 22:42:19 -0500
Howdy fellow snorticians, I brought up demarc recently and it seems to work very well until lately.Even though the snort.conf has a complete ruleset and is updating regularly, I am not triggering any of the nimda/codered attempts.
My apache logs clearly show the attempts.I have enclosed the top part of my snort.conf. I certainly would appreciate any changes/tweaks/corrections to my preprocessor statements.
Please reply privately and to the list so that any other lost wallowers having the same issue may benefit.
Thanks in advance. hendovar HOME_NET x.y.z.a/32 <-you can probably figure this out from my reply to address.
var EXTERNAL_NET any var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET preprocessor frag2: 16777216, 30 preprocessor stream4: timeout 60, detect_scans preprocessor stream4_reassemble: ports default preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 portscan.logoutput database: alert, mysql, user=xxxxxxxxxxx dbname=xxxxxxxx password=xxxxxxxxx
er host=xxxxxx sensor_name=xxxxxxx config classification: not-suspicious,Not Suspicious Traffic,0 config classification: unknown,Unknown Traffic,1 config classification: bad-unknown,Potentially Bad Traffic, 2 config classification: attempted-recon,Attempted Information Leak,3 config classification: successful-recon-limited,Information Leak,4config classification: successful-recon-largescale,Large Scale Information Leak,
5 config classification: attempted-dos,Attempted Denial of Service,6 config classification: successful-dos,Denial of Service,7 config classification: attempted-user,Attempted User Privilege Gain,8 config classification: unsuccessful-user,Unsuccessful User Privilege Gain,7 config classification: successful-user,Successful User Privilege Gain,9config classification: attempted-admin,Attempted Administrator Privilege Gain,10 config classification: successful-admin,Successful Administrator Privilege Gain,
11 config classification: rpc-portmapper-decode,Decode of an RPC Query,2 config classification: shellcode-detect,Executable code was detected,1 config classification: string-detect,A suspicious string was detected,3config classification: suspicious-filename-detect,A suspicious filename was dete
cted,2 config classification: system-call-detect,A system call was detected,2 config classification: tcp-connection,A TCP connection was detected,4 config classification: trojan-activity,A Network Trojan was detected, 1config classification: unusual-client-port-connection,A client was using an unus
ual port,2 config classification: network-scan,Detection of a Network Scan,3config classification: denial-of-service,Detection of a Denial of Service Attack
,2config classification: non-standard-protocol,Detection of a non-standard protoco
l or event ,2config classification: protocol-command-decode,Generic Protocol Command Decode,3 config classification: web-application-activity,potentually vulnerable web appli
cation access,2 config classification: web-application-attack,Web Application Attack,1 config classification: misc-activity,Misc activity,3 config classification: misc-attack,Misc Attack,2 config classification: icmp-event,Generic ICMP event,3 config classification: kickass-porn,SCORE! Get the lotion!,1 # ATTACK RESPONSES # These signatures are those when they happen, its usually because a machine # has been compromised. These should not false that often and almost always # mean a compromise. alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES http dirlisting"; content: "Volume Serial Number"; flags: A+; classtype:bad-unknown; sid
:1292; rev:1;) <-snip--> complete ruleset follows _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Demarc issues Dennis Henderson (Oct 09)