[Snort-users] What to look for next ???

Barry Wenger barry.wenger at ...399...
Wed Aug 30 14:55:13 EDT 2000

Thanks for the link - I checked it out and will pursue this one internally.

My snort runs on my DMZ on a system that does DNS and Sendmail.  The sendmail distributes to an smtp agent internally, and that's what the from and to addresses indicate.  I have just changed from using a -d to -D switch.  Can the -d and -D be used in conjuction?  I do have log files being built in /va/log/snort/IPADDRESSES so I can check those along with the maillogs.


>>> "Bill Pennington" <billp at ...56...> 08/30/2000 11:42:02 AM >>>
I found this info:


I used google (www.google.com) to track it down.

There should be an IP address associated with the alert. This is the machine
that sent the worm. Depneding on where your sensor is located on your
network this might point you to the persons machine that is infected, but it
might point back to your mail server.

Did you happen to log the packet payload with the -d switch? If you did then
that might point you back to the infected machine as well.

Good luck!

----- Original Message -----
From: Barry Wenger <barry.wenger at ...399...>
To: <snort-users at lists.sourceforge.net>
Sent: Wednesday, August 30, 2000 11:05 AM
Subject: [Snort-users] What to look for next ???

> Hello all,
> I am a new user of snort - I found this message in my logs and an
wondering where to start looking next...
> snort[31687]: Virus - Possible Outgoing NAIL Worm: <snip>
> Also, I tried a Yahoo search on "nail worm" and came up with only two
hits - both rules sets for snort.
> Thanks
> Barry
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net 
> http://lists.sourceforge.net/mailman/listinfo/snort-users 


More information about the Snort-users mailing list