[Snort-users] Ramen worm and Snort log entry

Brian Caswell bmc at ...312...
Sun Jun 17 11:12:35 EDT 2001


Subba Rao wrote:
> The following are the preprocessors in the snort.conf file. I have changed the
> IP addresses of the systems/network here.
> 
> ====================================================================
> var INTERNAL  192.168.1.0/24
> var EXTERNAL !$INTERNAL
> var DNS_SERVERS 192.168.1.5/24
> 
> preprocessor http_decode: 80 8080
> preprocessor minfrag: 128
> preprocessor portscan: 1.1.1.1/2 5 3 portscan.log
> preprocessor portscan-ignorehosts: 192.168.1.0/24
> 
> #include /usr/security/snort/etc/snort-vision.conf
> 
> output alert_full: alert
> ====================================================================
> 
> Why is Snort not logging any information about these trojan related alerts?

Because you don't have any rules listed there.  Uncomment the include
statement
and try again.

-- 
Brian Caswell
The MITRE Corporation




More information about the Snort-users mailing list