Re: Configuration issue

[John Sage <jsage () finchhaven com>]

Just a thought:

Do you actually have active any rules that will detect CodeRed or Nimda?

When I do this:

[toot@greatwall /usr/local/snort-1.8.1-RELEASE]# grep 'CodeRed' *.rules

All I get is this:

web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
(msg: "WEB-IIS CodeRed v2 root.exe
access"; flags: A+; uricontent:"scripts/root.exe?"; nocase; classtype: 
attempted-admin; sid: 1257; rev: 1;)

So there's only this one rule in the default rules (at least for Build 
74 of 1.8.1-RELEASE on Linux), and of course there would be *nothing* 
for Nimda, unless you added it yourself, Nimda being so new and all...

- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."


DJDave Sobel wrote:

> Snort Users:
>
> Need a little help... I believe I have everything configured
> correctly... having built and installed snort 1.8.1, I have it running
> and configured for my network.  My network is divided into three major
> subnets, one with publically addressable IPs, and two private blocks.  
>
> Despite the fact that I'm seeing multiple CodeRed and Nimba attacks in
> the web server logs, Snort does not seem to see them -- or certainly
> doesn't report them.  I'm not using anything more than the standard
> ruleset, so I'm not sure what I'm doing wrong.
>
> I've included my snort.conf below, and I execute snort with this
> command:
>
> /usr/local/bin/snort -c /usr/local/snort/snort.conf -dD
>
> I have removed the -dD and verified that snort does run, and with the
> -dD I can see it in the process list.
>
> Can anyone help?
>
> Dave


<sir snip-a-lot>


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users