Snort mailing list archives
Re: Alerts question
From: Scott Zawalski <scott.zawalski () web de>
Date: Wed, 14 Jul 2004 08:40:38 -0700
If you are using the standard rule set then you should see some trips on the readme.eml content:
Rules 1284 and 1290. (http://www.snort.org/cgi-bin/sigs-search.cgi?sid=readme.eml)
As far as a specific CodeRed sid only 1256 applies for CodeRed v2 rule and it looks for /root.exe uricontent
(http://www.snort.org/snort-db/sid.html?sid=1256) Scott Randy Ramsdell wrote:
I have been getting scanned daily by a host that is infected with "code red". Obviously a web server is running on it and I went there and found the typical script trying to push "readme.eml."So, shouldn't snort catch this?I just need to know if it should without getting into specifics of my configuration.I read that snort should detect "code red" if you go the the sight, but I am not sure if this is true.------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training.Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training.Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alerts question Randy Ramsdell (Jul 13)
- RE: Alerts question Patrick S. Harper (Jul 14)
- Re: Alerts question Scott Zawalski (Jul 14)
- Message not available
- Re: Alerts question Scott Zawalski (Jul 16)
- Message not available