[Snort-users] Exploits not being reported

Brian bmc at ...950...
Fri Nov 30 05:53:03 EST 2001

According to Arvind Clemente:
>     I have snort box up and running and is logging evrything to mysql
> database, It can detect portscans in NMAP, Nimda virusus etc. But it
> could not detect wu-ftpd exploit and rpc-statd exploit . 

So do us a favor, get a pcap log of the entire exploit session and
preferably send us the exploit, and I'll write signatures for it.

Snort only alerts on what it knows about, so share the info, and lets
make snort know about another set of exploits.  

NOTE: when we write signatures, we try and write signatures that will
pick up an attack against the vulnerability, no matter what exploit is
being used.  Sometimes this is hard.  

So again, send us the data, and I'll see what I can do.


Verbogeny is one of the pleasurettes of a creatific thinkerizer.  
-- Peter da Silva 

More information about the Snort-users mailing list