Snort mailing list archives
RE: readme.eml coming from an apache RH web sever?
From: "Paul D. Shaffer" <paulshaf () earthlink net>
Date: Sun, 16 Dec 2001 15:09:06 -0700
Your Snort will "see" all the Code Red and Nimda stuff even if you're running Apache. That's not to say it's "succeeding." Those worms look for http servers at port 80 and try to exploit anything they find (not smart enough to recognize IIS). Check your Apache logs and you should see it returning 404s as the exploits try to get non-existent stuff from your web server... Paul -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of John Mulkerin Sent: Sunday, December 16, 2001 11:50 AM To: snort-users () lists sourceforge net Subject: [Snort-users] readme.eml coming from an apache RH web sever? I'm not real good at snort configuration but do have my HOME_NET set to my specific two home addresses (so I added a CIDR of 32). However, I see alerts from my 12.XXX.XXX.XX1 machine to my other home machine 12.XXX.XXX.XX2. Since I'm pretty sure the Nimda expoint is not running on a RedHat 7.2 with Apache, what am I doing wrong? Here is are a couple of the log entries 12/16-09:47:20.775485 [**] [1:1284:3] WEB-MISC readme.eml attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 12.XXX.XXX.XX1:80 -> 12.XXX.XXX.XX2:1670 12/16-09:47:20.799312 [**] [1:1284:3] WEB-MISC readme.eml attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 12.XXX.XXX.XX1:80 -> 12.XXX.XXX.XX2:1670 var HOME_NET [12.XXX.XXX.XX1/32,12.XXX.XXX.XX2/32] _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- readme.eml coming from an apache RH web sever? John Mulkerin (Dec 16)
- RE: readme.eml coming from an apache RH web sever? Paul D. Shaffer (Dec 16)
- RE: readme.eml coming from an apache RH web sever? Steve Ochani (Dec 16)
- RE: readme.eml coming from an apache RH web sever? Paul D. Shaffer (Dec 16)
- Re: readme.eml coming from an apache RH web sever? John Mulkerin (Dec 16)
- RE: readme.eml coming from an apache RH web sever? Steve Ochani (Dec 16)
- RE: readme.eml coming from an apache RH web sever? Paul D. Shaffer (Dec 16)