[Snort-users] Configuration issue
jsage at ...2022...
Sat Sep 22 21:44:03 EDT 2001
Just a thought:
Do you actually have active any rules that will detect CodeRed or Nimda?
When I do this:
[toot at ...3561... /usr/local/snort-1.8.1-RELEASE]# grep 'CodeRed' *.rules
All I get is this:
web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
(msg: "WEB-IIS CodeRed v2 root.exe
access"; flags: A+; uricontent:"scripts/root.exe?"; nocase; classtype:
attempted-admin; sid: 1257; rev: 1;)
So there's only this one rule in the default rules (at least for Build
74 of 1.8.1-RELEASE on Linux), and of course there would be *nothing*
for Nimda, unless you added it yourself, Nimda being so new and all...
FinchHaven, Vashon Island, WA, USA
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."
DJDave Sobel wrote:
> Snort Users:
> Need a little help... I believe I have everything configured
> correctly... having built and installed snort 1.8.1, I have it running
> and configured for my network. My network is divided into three major
> subnets, one with publically addressable IPs, and two private blocks.
> Despite the fact that I'm seeing multiple CodeRed and Nimba attacks in
> the web server logs, Snort does not seem to see them -- or certainly
> doesn't report them. I'm not using anything more than the standard
> ruleset, so I'm not sure what I'm doing wrong.
> I've included my snort.conf below, and I execute snort with this
> /usr/local/bin/snort -c /usr/local/snort/snort.conf -dD
> I have removed the -dD and verified that snort does run, and with the
> -dD I can see it in the process list.
> Can anyone help?
More information about the Snort-users