Snort mailing list archives
Re: No longer seeing exploit traffic on version 2.0.0
From: Chris Green <cmg () sourcefire com>
Date: Mon, 28 Apr 2003 10:23:24 -0400
Lloyd_Ardoin () mazzios com writes:
1. (*) text/plain ( ) text/html I have been using Snort 1.9.0 and had upgraded to 1.9.1 about 3 weeks ago. It is running on a Linux RedHat Dell box on our DMZ. It has been up and monitoring for about 3 months. It is configured to log to a mysql database and I have the ACID console up and working also. The Snort box has been logging about 2 dozen alerts a day on average. Mostly IIS Web exploits. I upgraded to the 2.0.0 version on April 23rd and I am no longer getting any alerts from Snort. I have created an alert rule in the local.rules file that says - alert ip !$HOME_NET any -> $HOME_NET any which is generating alerts. But I am no longer seeing any alerts on the consistent IIS web exploints I have been seeing for the last couple of months. I have reviewed everything on my setup but can't seem to come up with anything....can anyone provide any suggestions?
Try -A fast -b and see if it's related to ACID or related to snort. I recommend adding a message alert ip !$HOME_NET any -> $HOME_NET any (msg: "LOCAL: goofy man";) -- Chris Green <cmg () sourcefire com> Laugh and the world laughs with you, snore and you sleep alone. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- No longer seeing exploit traffic on version 2.0.0 Lloyd_Ardoin (Apr 25)
- Re: No longer seeing exploit traffic on version 2.0.0 Chris Green (Apr 28)