[Snort-users] What to look for next ???

Bill Pennington billp at ...56...
Thu Aug 31 12:46:58 EDT 2000


Yes -d and -D can be used together (and should!) .

If you did not have the -d switch turned on when the alert happened I don't
think the logs are going to tell you much. Since this is a worm you should
be receiving a lot of these alerts as it propagates itself. If you have only
received one it might have been a false positive.


----- Original Message -----
From: Barry Wenger <barry.wenger at ...399...>
To: <snort-users at lists.sourceforge.net>
Sent: Wednesday, August 30, 2000 11:55 AM
Subject: Re: [Snort-users] What to look for next ???


> Thanks for the link - I checked it out and will pursue this one
internally.
>
> My snort runs on my DMZ on a system that does DNS and Sendmail.  The
sendmail distributes to an smtp agent internally, and that's what the from
and to addresses indicate.  I have just changed from using a -d to -D
switch.  Can the -d and -D be used in conjuction?  I do have log files being
built in /va/log/snort/IPADDRESSES so I can check those along with the
maillogs.
>
> Thanks
> Barry
>
> >>> "Bill Pennington" <billp at ...56...> 08/30/2000 11:42:02 AM >>>
> I found this info:
>
> http://www.datafellows.com/v-descs/nail.htm
>
> I used google (www.google.com) to track it down.
>
> There should be an IP address associated with the alert. This is the
machine
> that sent the worm. Depneding on where your sensor is located on your
> network this might point you to the persons machine that is infected, but
it
> might point back to your mail server.
>
> Did you happen to log the packet payload with the -d switch? If you did
then
> that might point you back to the infected machine as well.
>
> Good luck!
>
> ----- Original Message -----
> From: Barry Wenger <barry.wenger at ...399...>
> To: <snort-users at lists.sourceforge.net>
> Sent: Wednesday, August 30, 2000 11:05 AM
> Subject: [Snort-users] What to look for next ???
>
>
> > Hello all,
> >
> > I am a new user of snort - I found this message in my logs and an
> wondering where to start looking next...
> >
> > snort[31687]: Virus - Possible Outgoing NAIL Worm: <snip>
> >
> > Also, I tried a Yahoo search on "nail worm" and came up with only two
> hits - both rules sets for snort.
> >
> > Thanks
> > Barry
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
>
>
!
> !
>

!
> !
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users




More information about the Snort-users mailing list