[Snort-users] What to look for next ???
barry.wenger at ...399...
Thu Aug 31 16:12:33 EDT 2000
Unfortunately, I did have -d turned on - it's on now! In any case, since I have only seen the one I am not too concerned at this point. Thanks for the info...
>>> "Bill Pennington" <billp at ...56...> 08/31/2000 9:46:58 AM >>>
Yes -d and -D can be used together (and should!) .
If you did not have the -d switch turned on when the alert happened I don't
think the logs are going to tell you much. Since this is a worm you should
be receiving a lot of these alerts as it propagates itself. If you have only
received one it might have been a false positive.
----- Original Message -----
From: Barry Wenger <barry.wenger at ...399...>
To: <snort-users at lists.sourceforge.net>
Sent: Wednesday, August 30, 2000 11:55 AM
Subject: Re: [Snort-users] What to look for next ???
> Thanks for the link - I checked it out and will pursue this one
> My snort runs on my DMZ on a system that does DNS and Sendmail. The
sendmail distributes to an smtp agent internally, and that's what the from
and to addresses indicate. I have just changed from using a -d to -D
switch. Can the -d and -D be used in conjuction? I do have log files being
built in /va/log/snort/IPADDRESSES so I can check those along with the
> >>> "Bill Pennington" <billp at ...56...> 08/30/2000 11:42:02 AM >>>
> I found this info:
> I used google (www.google.com) to track it down.
> There should be an IP address associated with the alert. This is the
> that sent the worm. Depneding on where your sensor is located on your
> network this might point you to the persons machine that is infected, but
> might point back to your mail server.
> Did you happen to log the packet payload with the -d switch? If you did
> that might point you back to the infected machine as well.
> Good luck!
> ----- Original Message -----
> From: Barry Wenger <barry.wenger at ...399...>
> To: <snort-users at lists.sourceforge.net>
> Sent: Wednesday, August 30, 2000 11:05 AM
> Subject: [Snort-users] What to look for next ???
> > Hello all,
> > I am a new user of snort - I found this message in my logs and an
> wondering where to start looking next...
> > snort: Virus - Possible Outgoing NAIL Worm: <snip>
> > Also, I tried a Yahoo search on "nail worm" and came up with only two
> hits - both rules sets for snort.
> > Thanks
> > Barry
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
Snort-users mailing list
Snort-users at lists.sourceforge.net
More information about the Snort-users