[Snort-users] Demarc issues

Dennis Henderson hendo at ...3663...
Tue Oct 9 20:43:06 EDT 2001


Howdy fellow snorticians,

I brought up demarc recently and it seems to work very well until lately.

Even though the snort.conf has a complete ruleset and is updating 
regularly, I am not triggering any of the nimda/codered attempts.

My apache logs clearly show the attempts.

I have enclosed the top part of my snort.conf.  I certainly would 
appreciate any changes/tweaks/corrections to my preprocessor statements.

Please reply privately and to the list so that any other lost wallowers 
having the same issue may benefit.

Thanks in advance.

hendo



var HOME_NET x.y.z.a/32  <-you can probably figure this out from my reply 
to address.
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET


preprocessor frag2: 16777216, 30
preprocessor stream4: timeout 60, detect_scans
preprocessor stream4_reassemble: ports default
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log
output database: alert, mysql, user=xxxxxxxxxxx dbname=xxxxxxxx 
password=xxxxxxxxx
er host=xxxxxx sensor_name=xxxxxxx

config classification: not-suspicious,Not Suspicious Traffic,0
config classification: unknown,Unknown Traffic,1
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,3
config classification: successful-recon-limited,Information Leak,4
config classification: successful-recon-largescale,Large Scale Information 
Leak,
5
config classification: attempted-dos,Attempted Denial of Service,6
config classification: successful-dos,Denial of Service,7
config classification: attempted-user,Attempted User Privilege Gain,8
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,7
config classification: successful-user,Successful User Privilege Gain,9
config classification: attempted-admin,Attempted Administrator Privilege 
Gain,10
config classification: successful-admin,Successful Administrator Privilege 
Gain,
11
config classification: rpc-portmapper-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3
config classification: suspicious-filename-detect,A suspicious filename was 
dete
cted,2
config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an 
unus
ual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service 
Attack
,2
config classification: non-standard-protocol,Detection of a non-standard 
protoco
l or event ,2
config classification: protocol-command-decode,Generic Protocol Command 
Decode,3
config classification: web-application-activity,potentually vulnerable web 
appli
cation access,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: kickass-porn,SCORE! Get the lotion!,1

# ATTACK RESPONSES
# These signatures are those when they happen, its usually because a machine
# has been compromised.  These should not false that often and almost always
# mean a compromise.

alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES http dir
listing"; content: "Volume Serial Number"; flags: A+; 
classtype:bad-unknown; sid
:1292; rev:1;)


<-snip-->


complete ruleset follows
	





More information about the Snort-users mailing list