Snort mailing list archives
Re: readme.eml coming from an apache RH web sever?
From: "John Mulkerin" <jmulkerin () attbi com>
Date: Sun, 16 Dec 2001 16:38:52 -0800
I agree, Snort should see the Code Red and Nmda even if I'm running Apache but it looks like the Nmda is coming from my apache server ($HOME_NET). I don't think Nmda is reasonable coming from an apache server, is it? Anybody got a clue what I'd look for? Maybe an IP spoof? John ----- Original Message ----- From: "Paul D. Shaffer" <paulshaf () earthlink net> To: "'John Mulkerin'" <jmulkerin () attbi com>; <snort-users () lists sourceforge net> Sent: Sunday, December 16, 2001 2:09 PM Subject: RE: [Snort-users] readme.eml coming from an apache RH web sever?
Your Snort will "see" all the Code Red and Nimda stuff even if you're running Apache. That's not to say it's "succeeding." Those worms look
for
http servers at port 80 and try to exploit anything they find (not smart enough to recognize IIS). Check your Apache logs and you should see it returning 404s as the exploits try to get non-existent stuff from your web server... Paul -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of John Mulkerin Sent: Sunday, December 16, 2001 11:50 AM To: snort-users () lists sourceforge net Subject: [Snort-users] readme.eml coming from an apache RH web sever? I'm not real good at snort configuration but do have my HOME_NET set to my specific two home addresses (so I added a CIDR of 32). However, I see alerts from my 12.XXX.XXX.XX1 machine to my other home machine 12.XXX.XXX.XX2. Since I'm pretty sure the Nimda expoint is not running on
a
RedHat 7.2 with Apache, what am I doing wrong? Here is are a couple of the log entries 12/16-09:47:20.775485 [**] [1:1284:3] WEB-MISC readme.eml attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 12.XXX.XXX.XX1:80 -> 12.XXX.XXX.XX2:1670 12/16-09:47:20.799312 [**] [1:1284:3] WEB-MISC readme.eml attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 12.XXX.XXX.XX1:80 -> 12.XXX.XXX.XX2:1670 var HOME_NET [12.XXX.XXX.XX1/32,12.XXX.XXX.XX2/32] _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- readme.eml coming from an apache RH web sever? John Mulkerin (Dec 16)
- RE: readme.eml coming from an apache RH web sever? Paul D. Shaffer (Dec 16)
- RE: readme.eml coming from an apache RH web sever? Steve Ochani (Dec 16)
- RE: readme.eml coming from an apache RH web sever? Paul D. Shaffer (Dec 16)
- Re: readme.eml coming from an apache RH web sever? John Mulkerin (Dec 16)
- RE: readme.eml coming from an apache RH web sever? Steve Ochani (Dec 16)
- RE: readme.eml coming from an apache RH web sever? Paul D. Shaffer (Dec 16)