FW: [Snort-users] bug?

Fallon, Benjamin bfallon at ...4839...
Fri Feb 22 05:41:04 EST 2002

Diddo.  I got the same thing last night as well.

-----Original Message-----
From: Post, ME (Meint) [mailto:Meint.Post at ...5047...] 
Sent: Friday, February 22, 2002 3:52 AM
To: 'rdd at ...241...'
Cc: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] bug?


I'm wondering whether the following incident is a bug or an oversight on my
part. I'd appreciate some feedback on this:

Yesterday I noticed in the ACID console that one individual was quite
adamant in poking my server. I decided to check if the logged IP address
hosted a website so I could gain more knowledge about the intruder. Upon
entering the website I was literally jumped by Nimda viruses, which was
dutifully logged by Snort as part of the web-misc rules. My anti-virus
software blocked the Nimda virus. From this moment on my ACID log filled
itself with warnings that my webserver was attempting to infiltrate me with
readme.eml attacks. Every time I requested an ACID page with the warning my
logs filled with 60-70 warnings concerning readme.eml attacks. My webserver
is a Linux machine and therefore not susceptible to Nimda. I don't have
Samba shares installed so the virus hasn't jumped to my work machine. I did
some extensive scanning with two anti-virus programs on my work machine and
both didn't find anything. I scanned my Linux server with two anti-virus
programs and they didn't find anything either.

My suspicion is that Snort is triggered to report a Nimda readme.eml attack
by the reporting of ACID on the first attack, i.e. it is a cacade of
warnings because every new warning generates a new Snort log entry. In other
words, the fact that Snort has logged the first Nimda attack is reported by
ACID. Snort detects the phrase "readme.eml" in the ACID report page and
registers a new attack (registering an attack from my webserver where the
acid pages are generated). This new attack is reported by ACID, causing new
warnings etc...

Is this a correct assumption on my part? If so will this be corrected in a
new version? Right now I have disabled Nimda warnings in the web-misc.rules
file but this is not an ideal solution.



p.s. I like ACID a lot, keep up the good work!


De informatie opgenomen in dit bericht kan vertrouwelijk zijn en 
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht 
onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en 
de afzender direct te informeren door het bericht te retourneren. 
The information contained in this message may be confidential 
and is intended to be exclusively for the addressee. Should you 
receive this message unintentionally, please do not use the contents 
herein and notify the sender immediately by return e-mail.


Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list