Snort mailing list archives
Re: bug?
From: Phil Wood <cpw () lanl gov>
Date: Fri, 22 Feb 2002 15:04:05 -0700
On Fri, Feb 22, 2002 at 08:51:36AM -0000, Post, ME (Meint) wrote:
Hello,
Happens all the time with different scenarios. Your problem is that you log over the same interface that you collect stats. If you cannot use two interfaces, then I'd set up a pass rule (or add a bpf filter which ignores traffic for the ACID webserver). I've been so uninlightened as to send a signature in an email to the whole snort list, and then wade through the multitude of anti-virus software commentary from those on the list.
I'm wondering whether the following incident is a bug or an oversight on my part. I'd appreciate some feedback on this: Yesterday I noticed in the ACID console that one individual was quite adamant in poking my server. I decided to check if the logged IP address hosted a website so I could gain more knowledge about the intruder. Upon entering the website I was literally jumped by Nimda viruses, which was dutifully logged by Snort as part of the web-misc rules. My anti-virus software blocked the Nimda virus. From this moment on my ACID log filled itself with warnings that my webserver was attempting to infiltrate me with readme.eml attacks. Every time I requested an ACID page with the warning my logs filled with 60-70 warnings concerning readme.eml attacks. My webserver is a Linux machine and therefore not susceptible to Nimda. I don't have Samba shares installed so the virus hasn't jumped to my work machine. I did some extensive scanning with two anti-virus programs on my work machine and both didn't find anything. I scanned my Linux server with two anti-virus programs and they didn't find anything either. My suspicion is that Snort is triggered to report a Nimda readme.eml attack by the reporting of ACID on the first attack, i.e. it is a cacade of warnings because every new warning generates a new Snort log entry. In other words, the fact that Snort has logged the first Nimda attack is reported by ACID. Snort detects the phrase "readme.eml" in the ACID report page and registers a new attack (registering an attack from my webserver where the acid pages are generated). This new attack is reported by ACID, causing new warnings etc... Is this a correct assumption on my part? If so will this be corrected in a new version? Right now I have disabled Nimda warnings in the web-misc.rules file but this is not an ideal solution. Regards, Meint p.s. I like ACID a lot, keep up the good work! ================================================================== De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. ================================================================== The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. ================================================================== _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users