[Snort-users] Ramen worm and Snort log entry

Subba Rao subba9 at ...530...
Sun Jun 17 07:21:23 EDT 2001


On  0, Brian Caswell <bmc at ...312...> wrote:
> Subba Rao wrote:
> > The following are the preprocessors in the snort.conf file. I have changed the
> > IP addresses of the systems/network here.
> > 
> > ====================================================================
> > var INTERNAL  192.168.1.0/24
> > var EXTERNAL !$INTERNAL
> > var DNS_SERVERS 192.168.1.5/24
> > 
> > preprocessor http_decode: 80 8080
> > preprocessor minfrag: 128
> > preprocessor portscan: 1.1.1.1/2 5 3 portscan.log
> > preprocessor portscan-ignorehosts: 192.168.1.0/24
> > 
> > #include /usr/security/snort/etc/snort-vision.conf
> > 
> > output alert_full: alert
> > ====================================================================
> > 
> > Why is Snort not logging any information about these trojan related alerts?
> 
> Because you don't have any rules listed there.  Uncomment the include
> statement
> and try again.
> 

There is a huge set of rules below the "output alert_full: alert" line. The
include statement include MaxVision's rule set. The current configuration file
has the default snort rule set and "include"s the MaxVision's rule set. The
default file and MaxVision's file do include the Ramen worm rule. It is kinda
redundant but I have left them in the file.

-- 

Subba Rao
subba9 at ...530...
http://members.home.net/subba9/

GPG public key ID 27FC9217
Key fingerprint = 2B4C 498E 1860 5A2B 6570  5852 7527 882A 27FC 9217




More information about the Snort-users mailing list