Re: No longer seeing exploit traffic on version 2.0.0

[Chris Green <cmg () sourcefire com>]

Lloyd_Ardoin () mazzios com writes:

> 1.  (*) text/plain          ( ) text/html           
>
> I have been using Snort 1.9.0 and had upgraded to 1.9.1 about 3 weeks ago. 
> It is running on a Linux RedHat Dell box on our DMZ. It has been up and 
> monitoring for about 3 months. It is configured to log to a mysql database 
> and I have the ACID console up and working also. The Snort box has been 
> logging about 2 dozen alerts a day on average. Mostly IIS Web exploits. I 
> upgraded to the 2.0.0 version on April 23rd and I am no longer getting any 
> alerts from Snort. I have created an alert rule in the local.rules file 
> that says -
>
> alert ip !$HOME_NET any -> $HOME_NET any
>
> which is generating alerts.  But I am no longer seeing any alerts on the 
> consistent IIS web exploints I have been seeing for the last couple of 
> months.  I have reviewed everything on my setup but can't seem to come up 
> with anything....can anyone provide any suggestions?

Try -A fast -b and see if it's related to ACID or related to snort.

I recommend adding a message

alert ip !$HOME_NET any -> $HOME_NET any (msg: "LOCAL: goofy man";)
-- 
Chris Green <cmg () sourcefire com>
Laugh and the world laughs with you, snore and you sleep alone.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users