mkettler at ...189...
Tue May 27 15:01:05 EDT 2003
Snort should catch the directory traversal attempts from Nimda with the
Some things to check:
1) what is HTTP_PORTS defined as in snort.conf.. if you have a comma in
there, look no further.. comma separated lists are NOT supported here, just
single ports or : separated ranges.
2) what are HTTP_SERVERS, and EXTERNAL_NET defined as in snort.conf? How
do the destination and source addresses of the attacks relate to these
ranges? (ie: is the source included in EXTERNAL_NET and the targeted server
3) are you using stream4?
4) what kind of dropped-packet rate are you getting?
At 04:42 PM 5/27/2003 -0400, Joe Kinsella wrote:
>I'm new to snort so please forgive me if I am re-treading old ground. I've
>installed Snort 2.0 on my IIS web server. My web server is also running
>URLScan to reject specific attacks. One of the attacks I see frequently
>rejected is Nimda (http://www.cert.org/advisories/CA-2001-26.html). Snort
>did not flag these HTTP requests as attacks - and I scanned the rule files
>for a rule that looks like it would have caught Nimda. Since this worm has
>been around so long, I am assuming a rule MUST be available for this.
>Advice is appreciated.
>This SF.net email is sponsored by: ObjectStore.
>If flattening out C++ or Java code to make your application fit in a
>relational database is painful, don't do it! Check out ObjectStore.
>Now part of Progress Software. http://www.objectstore.net/sourceforge
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs