Snort mailing list archives
RE: Snort-users digest, Vol 1 #4375 - 8 msgs
From: Takisha Harper <TakishaHarper () ppom com>
Date: Wed, 14 Jul 2004 13:13:00 -0400
Any of you guys know any people or consultants that can come in and assist us with setting up Snort? Thanks
-----Original Message----- From: snort-users-request () lists sourceforge net [SMTP:snort-users-request () lists sourceforge net] Sent: Wednesday, July 14, 2004 11:45 AM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #4375 - 8 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. RE: plz help (Harper, Patrick) 2. RE: plz help (Nick Duda) 3. problem with suppress... (Tobias Rice) 4. (http_inspect) NON-RFC HTTP DELIMITER issue (sjconsulting () optonline net) 5. Re: plz help (shashank.joshi () tcs com) 6. Remote syslogging of snort (Paul Schmehl) 7. Re: NEWBIE: rule writing walkthru? (shashank.joshi () tcs com) 8. Re: Alerts question (Scott Zawalski) --__--__-- Message: 1 From: "Harper, Patrick" <patrick.harper () phns com> To: "Chandana Bandara" <chandana () dialogsl net>, <snort-users () lists sourceforge net> Date: Wed, 14 Jul 2004 08:15:00 -0500 Subject: RE: [Snort-users] plz help Do you have a rule for large ICMP enabled? Try a vulnerability scanner, that should trigger some alerts for ya. Or if you have the content: /etc/passwd rule enabled just go to the IP of the snort box in a browser with /etc/passwd in the URL and you should get an alert. =20 When you say "how do I check this from other clients ?" are you talking about checking the traffic to and from the clients on your network? If you are on a switched (a managed on) you need to set a span or monitor port depending on the brand of switch. If you are on a dumb switch then you either need to use a tap or a small hub inline, taps work better in my opinion but hubs are cheaper. Hope that helps -----Original Message----- From: Chandana Bandara [mailto:chandana () dialogsl net]=20 Sent: Wednesday, July 14, 2004 6:19 AM To: snort-users () lists sourceforge net Subject: [Snort-users] plz help hi ,=20 =20 I have installed snort perfectly in Red Hat Linux 9 box.ACID url runs on the browser. i used ping command with huge paccket sizes to that snort server. But there was no any alerts in the ACID.=20 =20 So tell me , how do i check this from other clients ? =20 plz help =20 thanx in advance chandana=20 Disclaimer: This electronic message, including any attachments, is confidential and int= ended solely for use of the intended recipient(s). This message may contain= information that is privileged or otherwise protected from disclosure by a= pplicable law. Any unauthorized disclosure, dissemination, use or reproduct= ion is strictly prohibited. If you have received this message in error, ple= ase delete it and notify the sender immediately.=20 --__--__-- Message: 2 Subject: RE: [Snort-users] plz help Date: Wed, 14 Jul 2004 09:53:19 -0400 From: "Nick Duda" <nduda () VistaPrint com> To: "Chandana Bandara" <chandana () dialogsl net>, <snort-users () lists sourceforge net> This is a multi-part message in MIME format. ------_=_NextPart_001_01C469A9.EBC5DC3E Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Nessus, Retina, NMAP....etc Anything that can do massive pen testing will make snort go crazy. Tools like these are required in a security pro's toolbox =20 _____ =20 From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Chandana Bandara Sent: Wednesday, July 14, 2004 7:19 AM To: snort-users () lists sourceforge net Subject: [Snort-users] plz help =20 hi ,=20 =20 I have installed snort perfectly in Red Hat Linux 9 box.ACID url runs on the browser. i used ping command with huge paccket sizes to that snort server. But there was no any alerts in the ACID.=20 =20 So tell me , how do i check this from other clients ? =20 plz help =20 thanx in advance chandana=20 ------_=_NextPart_001_01C469A9.EBC5DC3E Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" = xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)"> <!--[if !mso]> <style> v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} </style> <![endif]--> <style> <!-- /* Font Definitions */ @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline;} span.EmailStyle17 {mso-style-type:personal-reply; font-family:Arial; color:navy;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in;} div.Section1 {page:Section1;} --> </style> <!--[if gte mso 9]><xml> <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext=3D"edit"> <o:idmap v:ext=3D"edit" data=3D"1" /> </o:shapelayout></xml><![endif]--> </head> <body bgcolor=3Dwhite lang=3DEN-US link=3Dblue vlink=3Dpurple> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Nessus, Retina, NMAP….etc = Anything that can do massive pen testing will make snort go crazy. Tools like = these are required in a security pro’s toolbox<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p> <div> <div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font = size=3D3 face=3D"Times New Roman"><span style=3D'font-size:12.0pt'> <hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1> </span></font></div> <p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span = style=3D'font-size:10.0pt; font-family:Tahoma;font-weight:bold'>From:</span></font></b><font = size=3D2 face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] <b><span = style=3D'font-weight: bold'>On Behalf Of </span></b>Chandana Bandara<br> <b><span style=3D'font-weight:bold'>Sent:</span></b> Wednesday, July 14, = 2004 7:19 AM<br> <b><span style=3D'font-weight:bold'>To:</span></b> = snort-users () lists sourceforge net<br> <b><span style=3D'font-weight:bold'>Subject:</span></b> [Snort-users] = plz help</span></font><o:p></o:p></p> </div> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'><o:p> </o:p></span></font></p> <div> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>hi , </span></font><o:p></o:p></p> </div> <div> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'> <o:p></o:p></span></font></p> </div> <div> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>I have installed snort perfectly in Red Hat Linux 9 = box.ACID url runs on the browser.</span></font><o:p></o:p></p> </div> <div> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>i used ping command with huge paccket sizes to that = snort server. But there was no any alerts in the ACID. = </span></font><o:p></o:p></p> </div> <div> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'> <o:p></o:p></span></font></p> </div> <div> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>So tell me , how do i check this from other clients = ?</span></font><o:p></o:p></p> </div> <div> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'> <o:p></o:p></span></font></p> </div> <div> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>plz help</span></font><o:p></o:p></p> </div> <div> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'> <o:p></o:p></span></font></p> </div> <div> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>thanx in advance</span></font><o:p></o:p></p> </div> <div> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>chandana</span></font> <o:p></o:p></p> </div> </div> </body> </html> ------_=_NextPart_001_01C469A9.EBC5DC3E-- --__--__-- Message: 3 Date: Wed, 14 Jul 2004 07:01:45 -0700 From: Tobias Rice <rice () up edu> To: Graeme.Rider () colesmyer com au Cc: snort-users () lists sourceforge net Subject: [Snort-users] problem with suppress... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Are you using the "-o" flag to change the rule testing order to Pass|Alert|Log? Tobias -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA9TzJRJX8S0T0CkURAgydAKCqv7UOaJ4eL4JOIPIW3jnGpPcTyQCfVWq6 yHLh601GO7lWufmFYuCRXIE= =8xco -----END PGP SIGNATURE----- --__--__-- Message: 4 Date: Wed, 14 Jul 2004 11:21:28 -0400 From: sjconsulting () optonline net To: snort-users () lists sourceforge net Subject: [Snort-users] (http_inspect) NON-RFC HTTP DELIMITER issue I am receiving this alert and I know this alert is being generated by someone streaming "Yahoo Shoutcast" on my net...would you consider this be a false positive? Is there a way to turn this specifc inspection/alert off? I was reading through the http_inspect and I did not see where it was that allowed me to do this. I am running RH9, Snort 2.1.3. I f there is anything else that I need to post to help you folks help me, please let me know. TIA. ~SJC --__--__-- Message: 5 To: "Chandana Bandara" <chandana () dialogsl net> Cc: snort-users () lists sourceforge net, snort-users-admin () lists sourceforge net Subject: Re: [Snort-users] plz help From: shashank.joshi () tcs com Date: Wed, 14 Jul 2004 21:02:51 +0530 This is a multipart message in MIME format. ------=_NextPartTM-000-d388fd9f-1227-47d8-ae14-5281e6b11e0f Content-Type: multipart/alternative; boundary="=_alternative 00557DFC65256ED1_=" --=_alternative 00557DFC65256ED1_= Content-Type: text/plain; charset="US-ASCII" u can get hold of nessus and scan ur snort host or any other box on the intranet (the traffic should be visible to snort though) this can raise thousands of alerts . or if you are interested in only seeing some alerts in ACID, write a small rule to catch all tcp traffic in "local.rules" file and restart snort. (be sure to remove this rule once u r satisfied :) ) good luck! shashank "it's difficult to improve perfection !" "Chandana Bandara" <chandana () dialogsl net> Sent by: snort-users-admin () lists sourceforge net 07/14/2004 04:49 PM Please respond to "Chandana Bandara" <chandana () dialogsl net> To <snort-users () lists sourceforge net> cc Subject [Snort-users] plz help hi , I have installed snort perfectly in Red Hat Linux 9 box.ACID url runs on the browser. i used ping command with huge paccket sizes to that snort server. But there was no any alerts in the ACID. So tell me , how do i check this from other clients ? plz help thanx in advance chandana ForwardSourceID:NT00005406 --=_alternative 00557DFC65256ED1_= Content-Type: text/html; charset="US-ASCII" <br><font size=2 face="sans-serif">u can get hold of nessus and scan ur snort host or any other box on the intranet (the traffic should be visible to snort though) this can raise thousands of alerts .</font> <br> <br><font size=2 face="sans-serif">or if you are interested in only seeing some alerts in ACID, write a small rule to catch all tcp traffic in "local.rules" file and restart snort. (be sure to remove this rule once u r satisfied :) )</font> <br> <br><font size=2 face="sans-serif">good luck!</font> <br> <br> <br><font size=2 face="sans-serif">shashank</font> <br> <br><font size=2 face="sans-serif">"it's difficult to improve perfection !"</font> <br> <br> <br> <br> <table width=100%> <tr valign=top> <td width=40%><font size=1 face="sans-serif"><b>"Chandana Bandara" <chandana () dialogsl net></b> </font> <br><font size=1 face="sans-serif">Sent by: snort-users-admin () lists sourceforge net</font> <p><font size=1 face="sans-serif">07/14/2004 04:49 PM</font> <br> <table border> <tr valign=top> <td bgcolor=white> <div align=center><font size=1 face="sans-serif">Please respond to<br> "Chandana Bandara" <chandana () dialogsl net></font></div></table> <br> <td width=59%> <table width=100%> <tr> <td> <div align=right><font size=1 face="sans-serif">To</font></div> <td valign=top><font size=1 face="sans-serif"><snort-users () lists sourceforge net></font> <tr> <td> <div align=right><font size=1 face="sans-serif">cc</font></div> <td valign=top> <tr> <td> <div align=right><font size=1 face="sans-serif">Subject</font></div> <td valign=top><font size=1 face="sans-serif">[Snort-users] plz help</font></table> <br> <table> <tr valign=top> <td> <td></table> <br></table> <br> <br> <br><font size=2 face="Arial">hi , </font> <br><font size=3> </font> <br><font size=2 face="Arial">I have installed snort perfectly in Red Hat Linux 9 box.ACID url runs on the browser.</font> <br><font size=2 face="Arial">i used ping command with huge paccket sizes to that snort server. But there was no any alerts in the ACID. </font> <br><font size=3> </font> <br><font size=2 face="Arial">So tell me , how do i check this from other clients ?</font> <br><font size=3> </font> <br><font size=2 face="Arial">plz help</font> <br><font size=3> </font> <br><font size=2 face="Arial">thanx in advance</font> <br><font size=2 face="Arial">chandana</font><font size=3> </font> <br><font size=2 color=white face="sans-serif">ForwardSourceID:NT00005406 </font> <br> --=_alternative 00557DFC65256ED1_=-- ------=_NextPartTM-000-d388fd9f-1227-47d8-ae14-5281e6b11e0f Content-Transfer-Encoding: 7bit Content-Type: text/plain; name="InterScan_Disclaimer.txt" Content-Disposition: attachment; filename="InterScan_Disclaimer.txt" DISCLAIMER: The information contained in this message is intended only and solely for the addressed individual or entity indicated in this message and for the exclusive use of the said addressed individual or entity indicated in this message (or responsible for delivery of the message to such person) and may contain legally privileged and confidential information belonging to Tata Consultancy Services. It must not be printed, read, copied, disclosed, forwarded, distributed or used (in whatsoever manner) by any person other than the addressee. Unauthorized use, disclosure or copying is strictly prohibited and may constitute unlawful act and can possibly attract legal action, civil and/or criminal. The contents of this message need not necessarily reflect or endorse the views of Tata Consultancy Services on any subject matter. Any action taken or omitted to be taken based on this message is entirely at your risk and neither the originator of this message nor Tata Consultancy Services takes any responsibility or liability towards the same. Opinions, conclusions and any other information contained in this message that do not relate to the official business of Tata Consultancy Services shall be understood as neither given nor endorsed by Tata Consultancy Services or any affiliate of Tata Consultancy Services. If you have received this message in error, you should destroy this message and may please notify the sender by e-mail. Thank you. ------=_NextPartTM-000-d388fd9f-1227-47d8-ae14-5281e6b11e0f-- --__--__-- Message: 6 Date: Wed, 14 Jul 2004 10:37:53 -0500 From: Paul Schmehl <pauls () utdallas edu> To: snort-users () lists sourceforge net Subject: [Snort-users] Remote syslogging of snort I'm trying to set up snort to do remote sysloging. So I put this line in the snort.conf file: output alert_syslog: local1.debug But when I restart snort, I get this error message in /var/log/messages: WARNING /usr/local/etc/snort.conf (419) => Unrecognized syslog facility/priority: local1.debug Does snort not recognize the local logging facilities? Or do I have a syntax error? (/etc/syslog.conf reads "local1.debug @{sysloghost} Sysloghost /etc/syslog.conf reads "local1.debug /var/log/snort.log) Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ --__--__-- Message: 7 To: wayne () kentuckyregiments org Cc: snort-users () lists sourceforge net, snort-users-admin () lists sourceforge net Subject: Re: [Snort-users] NEWBIE: rule writing walkthru? From: shashank.joshi () tcs com Date: Wed, 14 Jul 2004 21:08:13 +0530 This is a multipart message in MIME format. ------=_NextPartTM-000-d65e43b2-5916-4bb3-bb5a-e55eb45de0d5 Content-Type: multipart/alternative; boundary="=_alternative 0055FBD065256ED1_=" --=_alternative 0055FBD065256ED1_= Content-Type: text/plain; charset="US-ASCII" Snort manual...nothing else required for rules info Good luck! Shashank "It's difficult to improve perfection !" "Wayne Fielder" <wayne () kentuckyregiments org> Sent by: snort-users-admin () lists sourceforge net 07/13/2004 07:24 PM Please respond to wayne () kentuckyregiments org To snort-users () lists sourceforge net cc Subject [Snort-users] NEWBIE: rule writing walkthru? Greetings all, I'm brand new to Snort. Know what it is capable of and want to play with it but I'm having trouble getting out of the blocks. I'm reading through the docs and it seems pretty straight forward but I would like to find a walkthru/tutorial or something like that for rule writing. I'm wanting to use Snort as both an IDS AND a web usage monitor. I'm working with a state agency and money is...well...there is no money to spend on a Netappliance machine or something of that ilk. I was thinking that if Snort can detect intrusions it must also be able to do the web usage thing given the correct rule. Wayne Fielder MCP, GSEC, GCIH pending ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ForwardSourceID:NT0000534A --=_alternative 0055FBD065256ED1_= Content-Type: text/html; charset="US-ASCII" <br><font size=2 face="sans-serif">Snort manual...nothing else required for rules info</font> <br> <br><font size=2 face="sans-serif">Good luck!</font> <br> <br><font size=2 face="sans-serif">Shashank</font> <br> <br><font size=2 face="sans-serif">"It's difficult to improve perfection !"</font> <br> <br> <br> <table width=100%> <tr valign=top> <td width=40%><font size=1 face="sans-serif"><b>"Wayne Fielder" <wayne () kentuckyregiments org></b> </font> <br><font size=1 face="sans-serif">Sent by: snort-users-admin () lists sourceforge net</font> <p><font size=1 face="sans-serif">07/13/2004 07:24 PM</font> <br> <table border> <tr valign=top> <td bgcolor=white> <div align=center><font size=1 face="sans-serif">Please respond to<br> wayne () kentuckyregiments org</font></div></table> <br> <td width=59%> <table width=100%> <tr> <td> <div align=right><font size=1 face="sans-serif">To</font></div> <td valign=top><font size=1 face="sans-serif">snort-users () lists sourceforge net</font> <tr> <td> <div align=right><font size=1 face="sans-serif">cc</font></div> <td valign=top> <tr> <td> <div align=right><font size=1 face="sans-serif">Subject</font></div> <td valign=top><font size=1 face="sans-serif">[Snort-users] NEWBIE: rule writing walkthru?</font></table> <br> <table> <tr valign=top> <td> <td></table> <br></table> <br> <br> <br><font size=2><tt>Greetings all,<br> <br> I'm brand new to Snort. Know what it is capable of and want to play<br> with it but I'm having trouble getting out of the blocks. I'm reading<br> through the docs and it seems pretty straight forward but I would like<br> to find a walkthru/tutorial or something like that for rule writing.<br> <br> I'm wanting to use Snort as both an IDS AND a web usage monitor. <br> I'm working with a state agency and money is...well...there is no money<br> to spend on a Netappliance machine or something of that ilk. I was<br> thinking that if Snort can detect intrusions it must also be able to do<br> the web usage thing given the correct rule.<br> <br> Wayne Fielder<br> MCP, GSEC, GCIH pending<br> <br> <br> -------------------------------------------------------<br> This SF.Net email sponsored by Black Hat Briefings & Training.<br> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - <br> digital self defense, top technical experts, no vendor pitches, <br> unmatched networking opportunities. Visit www.blackhat.com<br> _______________________________________________<br> Snort-users mailing list<br> Snort-users () lists sourceforge net<br> Go to this URL to change user options or unsubscribe:<br> https://lists.sourceforge.net/lists/listinfo/snort-users<br> Snort-users list archive:<br> http://www.geocrawler.com/redir-sf.php3?list=snort-users<br> </tt></font> <br><font size=2 color=white face="sans-serif">ForwardSourceID:NT0000534A </font> <br> --=_alternative 0055FBD065256ED1_=-- ------=_NextPartTM-000-d65e43b2-5916-4bb3-bb5a-e55eb45de0d5 Content-Transfer-Encoding: 7bit Content-Type: text/plain; name="InterScan_Disclaimer.txt" Content-Disposition: attachment; filename="InterScan_Disclaimer.txt" DISCLAIMER: The information contained in this message is intended only and solely for the addressed individual or entity indicated in this message and for the exclusive use of the said addressed individual or entity indicated in this message (or responsible for delivery of the message to such person) and may contain legally privileged and confidential information belonging to Tata Consultancy Services. It must not be printed, read, copied, disclosed, forwarded, distributed or used (in whatsoever manner) by any person other than the addressee. Unauthorized use, disclosure or copying is strictly prohibited and may constitute unlawful act and can possibly attract legal action, civil and/or criminal. The contents of this message need not necessarily reflect or endorse the views of Tata Consultancy Services on any subject matter. Any action taken or omitted to be taken based on this message is entirely at your risk and neither the originator of this message nor Tata Consultancy Services takes any responsibility or liability towards the same. Opinions, conclusions and any other information contained in this message that do not relate to the official business of Tata Consultancy Services shall be understood as neither given nor endorsed by Tata Consultancy Services or any affiliate of Tata Consultancy Services. If you have received this message in error, you should destroy this message and may please notify the sender by e-mail. Thank you. ------=_NextPartTM-000-d65e43b2-5916-4bb3-bb5a-e55eb45de0d5-- --__--__-- Message: 8 Date: Wed, 14 Jul 2004 08:40:38 -0700 From: Scott Zawalski <scott.zawalski () web de> To: Randy Ramsdell <rramsdel () comcast net> CC: "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Alerts question If you are using the standard rule set then you should see some trips on the readme.eml content: Rules 1284 and 1290. (http://www.snort.org/cgi-bin/sigs-search.cgi?sid=readme.eml) As far as a specific CodeRed sid only 1256 applies for CodeRed v2 rule and it looks for /root.exe uricontent (http://www.snort.org/snort-db/sid.html?sid=1256) Scott Randy Ramsdell wrote:I have been getting scanned daily by a host that is infected with "code red". Obviously a web server is running on it and I went there and found the typical script trying to push "readme.eml." So, shouldn't snort catch this? I just need to know if it should without getting into specifics of my configuration. I read that snort should detect "code red" if you go the the sight, but I am not sure if this is true. ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users--__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest
Confidentiality Notices The information contained in this transmission may include confidential information and is intended for the personal and confidential use of the named recipient only. Such information may be protected by applicable State and Federal laws from this disclosure or unauthorized use. If the reader of this transmission or any accompanying information is not the named recipient, such reader is hereby notified that any disclosure, review, discussion, copying, or taking any action in reliance on the contents of this transmission is strictly prohibited. If you have received this transmission in error, please contact the sender immediately.
Current thread:
- RE: Snort-users digest, Vol 1 #4375 - 8 msgs Takisha Harper (Jul 14)