[Snort-users] What to look for next ???

Bill Pennington billp at ...56...
Wed Aug 30 14:42:02 EDT 2000

I found this info:


I used google (www.google.com) to track it down.

There should be an IP address associated with the alert. This is the machine
that sent the worm. Depneding on where your sensor is located on your
network this might point you to the persons machine that is infected, but it
might point back to your mail server.

Did you happen to log the packet payload with the -d switch? If you did then
that might point you back to the infected machine as well.

Good luck!

----- Original Message -----
From: Barry Wenger <barry.wenger at ...399...>
To: <snort-users at lists.sourceforge.net>
Sent: Wednesday, August 30, 2000 11:05 AM
Subject: [Snort-users] What to look for next ???

> Hello all,
> I am a new user of snort - I found this message in my logs and an
wondering where to start looking next...
> snort[31687]: Virus - Possible Outgoing NAIL Worm: <snip>
> Also, I tried a Yahoo search on "nail worm" and came up with only two
hits - both rules sets for snort.
> Thanks
> Barry
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

More information about the Snort-users mailing list