[Snort-users] Configuration issue

John Sage jsage at ...2022...
Sat Sep 22 21:44:03 EDT 2001

Just a thought:

Do you actually have active any rules that will detect CodeRed or Nimda?

When I do this:

[toot at ...3561... /usr/local/snort-1.8.1-RELEASE]# grep 'CodeRed' *.rules

All I get is this:

web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
(msg: "WEB-IIS CodeRed v2 root.exe
access"; flags: A+; uricontent:"scripts/root.exe?"; nocase; classtype: 
attempted-admin; sid: 1257; rev: 1;)

So there's only this one rule in the default rules (at least for Build 
74 of 1.8.1-RELEASE on Linux), and of course there would be *nothing* 
for Nimda, unless you added it yourself, Nimda being so new and all...

- John

John Sage
FinchHaven, Vashon Island, WA, USA
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."

DJDave Sobel wrote:

> Snort Users:
> Need a little help... I believe I have everything configured
> correctly... having built and installed snort 1.8.1, I have it running
> and configured for my network.  My network is divided into three major
> subnets, one with publically addressable IPs, and two private blocks.  
> Despite the fact that I'm seeing multiple CodeRed and Nimba attacks in
> the web server logs, Snort does not seem to see them -- or certainly
> doesn't report them.  I'm not using anything more than the standard
> ruleset, so I'm not sure what I'm doing wrong.
> I've included my snort.conf below, and I execute snort with this
> command:
> /usr/local/bin/snort -c /usr/local/snort/snort.conf -dD
> I have removed the -dD and verified that snort does run, and with the
> -dD I can see it in the process list.
> Can anyone help?
> Dave

<sir snip-a-lot>

More information about the Snort-users mailing list