Snort mailing list archives

RE: Snort-users digest, Vol 1 #4375 - 8 msgs

From: Takisha Harper <TakishaHarper () ppom com>
Date: Wed, 14 Jul 2004 13:13:00 -0400

Any of you guys know any people or consultants that can come in and assist
us with setting up Snort?

Thanks

-----Original Message-----
From: snort-users-request () lists sourceforge net
[SMTP:snort-users-request () lists sourceforge net]
Sent: Wednesday, July 14, 2004 11:45 AM
To:   snort-users () lists sourceforge net
Subject:      Snort-users digest, Vol 1 #4375 - 8 msgs

Send Snort-users mailing list submissions to
      snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
      https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
      snort-users-request () lists sourceforge net

You can reach the person managing the list at
      snort-users-admin () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. RE: plz help (Harper, Patrick)
   2. RE: plz help (Nick Duda)
   3. problem with suppress... (Tobias Rice)
   4. (http_inspect) NON-RFC HTTP DELIMITER issue
(sjconsulting () optonline net)
   5. Re: plz help (shashank.joshi () tcs com)
   6. Remote syslogging of snort (Paul Schmehl)
   7. Re: NEWBIE: rule writing walkthru? (shashank.joshi () tcs com)
   8. Re: Alerts question (Scott Zawalski)

--__--__--

Message: 1
From: "Harper, Patrick" <patrick.harper () phns com>
To: "Chandana Bandara" <chandana () dialogsl net>,
      <snort-users () lists sourceforge net>
Date: Wed, 14 Jul 2004 08:15:00 -0500
Subject: RE: [Snort-users] plz help

Do you have a rule for large ICMP enabled?  Try a vulnerability scanner,
that should trigger some alerts for ya.  Or if you have the content:
/etc/passwd  rule enabled just go to the IP of the snort box in a
browser with /etc/passwd in the URL and you should get an alert. =20

When you say "how do I check this from other clients ?" are you talking
about checking the traffic to and from the clients on your network?  If
you are on a switched (a managed on) you need to set a span or monitor
port depending on the brand of switch.  If you are on a dumb switch then
you either need to use a tap or a small hub inline, taps work better in
my opinion but hubs are cheaper.

Hope that helps

-----Original Message-----
From: Chandana Bandara [mailto:chandana () dialogsl net]=20
Sent: Wednesday, July 14, 2004 6:19 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] plz help

hi ,=20
=20
I have installed snort perfectly in Red Hat Linux 9 box.ACID url runs on
the browser.
i used ping command with huge paccket sizes to that snort server. But
there was no any alerts in the ACID.=20
=20
So tell me , how do i check this from other clients ?
=20
plz help
=20
thanx in advance
chandana=20




Disclaimer:
This electronic message, including any attachments, is confidential and
int=
ended solely for use of the intended recipient(s). This message may
contain=
 information that is privileged or otherwise protected from disclosure by
a=
pplicable law. Any unauthorized disclosure, dissemination, use or
reproduct=
ion is strictly prohibited. If you have received this message in error,
ple=
ase delete it and notify the sender immediately.=20





--__--__--

Message: 2
Subject: RE: [Snort-users] plz help
Date: Wed, 14 Jul 2004 09:53:19 -0400
From: "Nick Duda" <nduda () VistaPrint com>
To: "Chandana Bandara" <chandana () dialogsl net>,
      <snort-users () lists sourceforge net>

This is a multi-part message in MIME format.

------_=_NextPart_001_01C469A9.EBC5DC3E
Content-Type: text/plain;
      charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Nessus, Retina, NMAP....etc Anything that can do massive pen testing
will make snort go crazy. Tools like these are required in a security
pro's toolbox

=20

  _____ =20

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Chandana
Bandara
Sent: Wednesday, July 14, 2004 7:19 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] plz help

=20

hi ,=20

=20

I have installed snort perfectly in Red Hat Linux 9 box.ACID url runs on
the browser.

i used ping command with huge paccket sizes to that snort server. But
there was no any alerts in the ACID.=20

=20

So tell me , how do i check this from other clients ?

=20

plz help

=20

thanx in advance

chandana=20


------_=_NextPart_001_01C469A9.EBC5DC3E
Content-Type: text/html;
      charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
      {font-family:Tahoma;
      panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
      {margin:0in;
      margin-bottom:.0001pt;
      font-size:12.0pt;
      font-family:"Times New Roman";}
a:link, span.MsoHyperlink
      {color:blue;
      text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
      {color:purple;
      text-decoration:underline;}
span.EmailStyle17
      {mso-style-type:personal-reply;
      font-family:Arial;
      color:navy;}
@page Section1
      {size:8.5in 11.0in;
      margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
      {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body bgcolor=3Dwhite lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Nessus, Retina, NMAP&#8230;.etc =
Anything
that can do massive pen testing will make snort go crazy. Tools like =
these are
required in a security pro&#8217;s toolbox<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<div>

<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>

<hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>

</span></font></div>

<p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font =
size=3D2
face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'>
snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] <b><span =
style=3D'font-weight:
bold'>On Behalf Of </span></b>Chandana Bandara<br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Wednesday, July 14, =
2004
7:19 AM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> =
snort-users () lists sourceforge net<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> [Snort-users] =
plz help</span></font><o:p></o:p></p>

</div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<div>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>hi , </span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I have installed snort perfectly in Red Hat Linux 9 =
box.ACID
url runs on the browser.</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>i used ping command with huge paccket sizes to that =
snort
server. But there was no any alerts in the ACID. =
</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>So tell me , how do i check this from other clients =
?</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>plz help</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>thanx&nbsp;in advance</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>chandana</span></font>&nbsp;<o:p></o:p></p>

</div>

</div>

</body>

</html>

------_=_NextPart_001_01C469A9.EBC5DC3E--


--__--__--

Message: 3
Date: Wed, 14 Jul 2004 07:01:45 -0700
From: Tobias Rice <rice () up edu>
To: Graeme.Rider () colesmyer com au
Cc: snort-users () lists sourceforge net
Subject: [Snort-users] problem with suppress...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Are you using the "-o" flag to change the rule testing order to
Pass|Alert|Log?

Tobias
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFA9TzJRJX8S0T0CkURAgydAKCqv7UOaJ4eL4JOIPIW3jnGpPcTyQCfVWq6
yHLh601GO7lWufmFYuCRXIE=
=8xco
-----END PGP SIGNATURE-----


--__--__--

Message: 4
Date: Wed, 14 Jul 2004 11:21:28 -0400
From: sjconsulting () optonline net
To: snort-users () lists sourceforge net
Subject: [Snort-users] (http_inspect) NON-RFC HTTP DELIMITER issue

I am receiving this alert and I know this alert is being generated by
someone streaming "Yahoo Shoutcast" on my net...would you consider this be
a false positive?  Is there a way to turn this specifc inspection/alert
off? I was reading through the http_inspect and I did not see where it was
that allowed me to do this. I am running RH9, Snort 2.1.3. I f there is
anything else that I need to post to help you folks help me, please let me
know.

TIA.

~SJC



--__--__--

Message: 5
To: "Chandana Bandara" <chandana () dialogsl net>
Cc: snort-users () lists sourceforge net,
      snort-users-admin () lists sourceforge net
Subject: Re: [Snort-users] plz help
From: shashank.joshi () tcs com
Date: Wed, 14 Jul 2004 21:02:51 +0530

This is a multipart message in MIME format.
------=_NextPartTM-000-d388fd9f-1227-47d8-ae14-5281e6b11e0f
Content-Type: multipart/alternative; 
      boundary="=_alternative 00557DFC65256ED1_="

--=_alternative 00557DFC65256ED1_=
Content-Type: text/plain; charset="US-ASCII"

u can get hold of nessus and scan ur snort host or any other box on the 
intranet (the traffic should be visible to snort though) this can raise 
thousands of alerts .

or if you are interested in only seeing some alerts in ACID, write a small

rule to catch all tcp traffic in "local.rules" file and restart snort. (be

sure to remove this rule once u r satisfied :) )

good luck!


shashank

"it's difficult to improve perfection !"




"Chandana Bandara" <chandana () dialogsl net> 
Sent by: snort-users-admin () lists sourceforge net
07/14/2004 04:49 PM

Please respond to
"Chandana Bandara" <chandana () dialogsl net>


To
<snort-users () lists sourceforge net>
cc

Subject
[Snort-users] plz help






hi , 
 
I have installed snort perfectly in Red Hat Linux 9 box.ACID url runs on 
the browser.
i used ping command with huge paccket sizes to that snort server. But 
there was no any alerts in the ACID. 
 
So tell me , how do i check this from other clients ?
 
plz help
 
thanx in advance
chandana 
ForwardSourceID:NT00005406 

--=_alternative 00557DFC65256ED1_=
Content-Type: text/html; charset="US-ASCII"


<br><font size=2 face="sans-serif">u can get hold of nessus and scan ur
snort host or any other box on the intranet (the traffic should be visible
to snort though) this can raise thousands of alerts .</font>
<br>
<br><font size=2 face="sans-serif">or if you are interested in only seeing
some alerts in ACID, write a small rule to catch all tcp traffic in
&quot;local.rules&quot;
file and restart snort. (be sure to remove this rule once u r satisfied
:) )</font>
<br>
<br><font size=2 face="sans-serif">good luck!</font>
<br>
<br>
<br><font size=2 face="sans-serif">shashank</font>
<br>
<br><font size=2 face="sans-serif">&quot;it's difficult to improve
perfection
!&quot;</font>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>&quot;Chandana
Bandara&quot;
&lt;chandana () dialogsl net&gt;</b> </font>
<br><font size=1 face="sans-serif">Sent by:
snort-users-admin () lists sourceforge net</font>
<p><font size=1 face="sans-serif">07/14/2004 04:49 PM</font>
<br>
<table border>
<tr valign=top>
<td bgcolor=white>
<div align=center><font size=1 face="sans-serif">Please respond to<br>
&quot;Chandana Bandara&quot;
&lt;chandana () dialogsl net&gt;</font></div></table>
<br>
<td width=59%>
<table width=100%>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td valign=top><font size=1
face="sans-serif">&lt;snort-users () lists sourceforge net&gt;</font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td valign=top>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td valign=top><font size=1 face="sans-serif">[Snort-users] plz
help</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=2 face="Arial">hi , </font>
<br><font size=3>&nbsp;</font>
<br><font size=2 face="Arial">I have installed snort perfectly in Red Hat
Linux 9 box.ACID url runs on the browser.</font>
<br><font size=2 face="Arial">i used ping command with huge paccket sizes
to that snort server. But there was no any alerts in the ACID. </font>
<br><font size=3>&nbsp;</font>
<br><font size=2 face="Arial">So tell me , how do i check this from other
clients ?</font>
<br><font size=3>&nbsp;</font>
<br><font size=2 face="Arial">plz help</font>
<br><font size=3>&nbsp;</font>
<br><font size=2 face="Arial">thanx in advance</font>
<br><font size=2 face="Arial">chandana</font><font size=3> </font>
<br><font size=2 color=white face="sans-serif">ForwardSourceID:NT00005406
&nbsp; &nbsp;</font>
<br>
--=_alternative 00557DFC65256ED1_=--


------=_NextPartTM-000-d388fd9f-1227-47d8-ae14-5281e6b11e0f
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
      name="InterScan_Disclaimer.txt"
Content-Disposition: attachment;
      filename="InterScan_Disclaimer.txt"

DISCLAIMER: The information contained in this message is intended only and
solely for the addressed individual or entity indicated in this message
and for the exclusive use of the said addressed individual or entity
indicated in this message (or responsible for delivery
of the message to such person) and may contain legally privileged and
confidential information belonging to Tata Consultancy Services. It must
not be printed, read, copied, disclosed, forwarded, distributed or used
(in whatsoever manner) by any person other than the
addressee. Unauthorized use, disclosure or copying is strictly prohibited
and may constitute unlawful act and can possibly attract legal action,
civil and/or criminal. The contents of this message need not necessarily
reflect or endorse the views of Tata Consultancy Services
on any subject matter. 
Any action taken or omitted to be taken based on this message is entirely
at your risk and neither the originator of this message nor Tata
Consultancy Services takes any responsibility or liability towards the
same. Opinions, conclusions and any other
information contained in this message that do not relate to the official
business of Tata Consultancy Services shall be understood as neither given
nor endorsed by Tata Consultancy Services or any affiliate of Tata
Consultancy Services. If you have received this message in error,
you should destroy this message and may please notify the sender by
e-mail. Thank you.


------=_NextPartTM-000-d388fd9f-1227-47d8-ae14-5281e6b11e0f--



--__--__--

Message: 6
Date: Wed, 14 Jul 2004 10:37:53 -0500
From: Paul Schmehl <pauls () utdallas edu>
To: snort-users () lists sourceforge net
Subject: [Snort-users] Remote syslogging of snort

I'm trying to set up snort to do remote sysloging.  So I put this line in 
the snort.conf file:

output alert_syslog: local1.debug

But when I restart snort, I get this error message in /var/log/messages:

 WARNING /usr/local/etc/snort.conf (419) => Unrecognized syslog 
facility/priority: local1.debug

Does snort not recognize the local logging facilities?  Or do I have a 
syntax error?

(/etc/syslog.conf reads "local1.debug    @{sysloghost}

Sysloghost /etc/syslog.conf reads "local1.debug     /var/log/snort.log)

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/


--__--__--

Message: 7
To: wayne () kentuckyregiments org
Cc: snort-users () lists sourceforge net,
      snort-users-admin () lists sourceforge net
Subject: Re: [Snort-users] NEWBIE: rule writing walkthru?
From: shashank.joshi () tcs com
Date: Wed, 14 Jul 2004 21:08:13 +0530

This is a multipart message in MIME format.
------=_NextPartTM-000-d65e43b2-5916-4bb3-bb5a-e55eb45de0d5
Content-Type: multipart/alternative; 
      boundary="=_alternative 0055FBD065256ED1_="

--=_alternative 0055FBD065256ED1_=
Content-Type: text/plain; charset="US-ASCII"

Snort manual...nothing else required for rules info

Good luck!

Shashank

"It's difficult to improve perfection !"



"Wayne Fielder" <wayne () kentuckyregiments org> 
Sent by: snort-users-admin () lists sourceforge net
07/13/2004 07:24 PM

Please respond to
wayne () kentuckyregiments org


To
snort-users () lists sourceforge net
cc

Subject
[Snort-users] NEWBIE: rule writing walkthru?






Greetings all,

    I'm brand new to Snort.  Know what it is capable of and want to play
with it but I'm having trouble getting out of the blocks.  I'm reading
through the docs and it seems pretty straight forward but I would like
to find a walkthru/tutorial or something like that for rule writing.

    I'm wanting to use Snort as both an IDS AND a web usage monitor. 
I'm working with a state agency and money is...well...there is no money
to spend on a Netappliance machine or something of that ilk.  I was
thinking that if Snort can detect intrusions it must also be able to do
the web usage thing given the correct rule.

Wayne Fielder
MCP, GSEC, GCIH pending


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

ForwardSourceID:NT0000534A 

--=_alternative 0055FBD065256ED1_=
Content-Type: text/html; charset="US-ASCII"


<br><font size=2 face="sans-serif">Snort manual...nothing else required
for rules info</font>
<br>
<br><font size=2 face="sans-serif">Good luck!</font>
<br>
<br><font size=2 face="sans-serif">Shashank</font>
<br>
<br><font size=2 face="sans-serif">&quot;It's difficult to improve
perfection
!&quot;</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>&quot;Wayne Fielder&quot;
&lt;wayne () kentuckyregiments org&gt;</b> </font>
<br><font size=1 face="sans-serif">Sent by:
snort-users-admin () lists sourceforge net</font>
<p><font size=1 face="sans-serif">07/13/2004 07:24 PM</font>
<br>
<table border>
<tr valign=top>
<td bgcolor=white>
<div align=center><font size=1 face="sans-serif">Please respond to<br>
wayne () kentuckyregiments org</font></div></table>
<br>
<td width=59%>
<table width=100%>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td valign=top><font size=1
face="sans-serif">snort-users () lists sourceforge net</font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td valign=top>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td valign=top><font size=1 face="sans-serif">[Snort-users] NEWBIE: rule
writing walkthru?</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=2><tt>Greetings all,<br>
<br>
 &nbsp; &nbsp;I'm brand new to Snort. &nbsp;Know what it is capable of
and want to play<br>
with it but I'm having trouble getting out of the blocks. &nbsp;I'm
reading<br>
through the docs and it seems pretty straight forward but I would like<br>
to find a walkthru/tutorial or something like that for rule writing.<br>
<br>
 &nbsp; &nbsp;I'm wanting to use Snort as both an IDS AND a web usage
monitor.
<br>
I'm working with a state agency and money is...well...there is no
money<br>
to spend on a Netappliance machine or something of that ilk. &nbsp;I
was<br>
thinking that if Snort can detect intrusions it must also be able to
do<br>
the web usage thing given the correct rule.<br>
<br>
Wayne Fielder<br>
MCP, GSEC, GCIH pending<br>
<br>
<br>
-------------------------------------------------------<br>
This SF.Net email sponsored by Black Hat Briefings &amp; Training.<br>
Attend Black Hat Briefings &amp; Training, Las Vegas July 24-29 - <br>
digital self defense, top technical experts, no vendor pitches, <br>
unmatched networking opportunities. Visit www.blackhat.com<br>
_______________________________________________<br>
Snort-users mailing list<br>
Snort-users () lists sourceforge net<br>
Go to this URL to change user options or unsubscribe:<br>
https://lists.sourceforge.net/lists/listinfo/snort-users<br>
Snort-users list archive:<br>
http://www.geocrawler.com/redir-sf.php3?list=snort-users<br>
</tt></font>
<br><font size=2 color=white face="sans-serif">ForwardSourceID:NT0000534A
&nbsp; &nbsp;</font>
<br>
--=_alternative 0055FBD065256ED1_=--


------=_NextPartTM-000-d65e43b2-5916-4bb3-bb5a-e55eb45de0d5
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
      name="InterScan_Disclaimer.txt"
Content-Disposition: attachment;
      filename="InterScan_Disclaimer.txt"

DISCLAIMER: The information contained in this message is intended only and
solely for the addressed individual or entity indicated in this message
and for the exclusive use of the said addressed individual or entity
indicated in this message (or responsible for delivery
of the message to such person) and may contain legally privileged and
confidential information belonging to Tata Consultancy Services. It must
not be printed, read, copied, disclosed, forwarded, distributed or used
(in whatsoever manner) by any person other than the
addressee. Unauthorized use, disclosure or copying is strictly prohibited
and may constitute unlawful act and can possibly attract legal action,
civil and/or criminal. The contents of this message need not necessarily
reflect or endorse the views of Tata Consultancy Services
on any subject matter. 
Any action taken or omitted to be taken based on this message is entirely
at your risk and neither the originator of this message nor Tata
Consultancy Services takes any responsibility or liability towards the
same. Opinions, conclusions and any other
information contained in this message that do not relate to the official
business of Tata Consultancy Services shall be understood as neither given
nor endorsed by Tata Consultancy Services or any affiliate of Tata
Consultancy Services. If you have received this message in error,
you should destroy this message and may please notify the sender by
e-mail. Thank you.


------=_NextPartTM-000-d65e43b2-5916-4bb3-bb5a-e55eb45de0d5--



--__--__--

Message: 8
Date: Wed, 14 Jul 2004 08:40:38 -0700
From: Scott Zawalski <scott.zawalski () web de>
To: Randy Ramsdell <rramsdel () comcast net>
CC: "'snort-users () lists sourceforge net'"
<snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Alerts question

If you are using the standard rule set then you should see some trips on 
the readme.eml content:

Rules  1284 and 1290. 
(http://www.snort.org/cgi-bin/sigs-search.cgi?sid=readme.eml)

As far as a specific CodeRed sid only 1256 applies for CodeRed v2 rule 
and it looks for /root.exe uricontent
(http://www.snort.org/snort-db/sid.html?sid=1256)

Scott

Randy Ramsdell wrote:


I have been getting scanned daily by a host that is infected with 
"code red". Obviously a web server is running on it and I went there 
and found the typical script trying to push "readme.eml."

So, shouldn't snort catch this?

I just need to know if it should without getting into specifics of my 
configuration.

I read that snort should detect "code red" if you go the the sight, 
but I am not sure if this is true.




-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital 
self defense, top technical experts, no vendor pitches, unmatched 
networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





--__--__--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest

Confidentiality Notices
The information contained in this transmission may include confidential
information and is intended for the personal and confidential use of the
named recipient only.  Such information may be protected by applicable State
and Federal laws from this disclosure or unauthorized use.  If the reader of
this transmission or any accompanying information is not the named
recipient, such reader is hereby notified that any disclosure, review,
discussion, copying, or taking any action in reliance on the contents of
this transmission is strictly prohibited.  If you have received this
transmission in error, please contact the sender immediately.

Current thread:

RE: Snort-users digest, Vol 1 #4375 - 8 msgs Takisha Harper (Jul 14)