[Snort-users] nimda

J. Craig Woods drjung at ...5405...
Fri Jul 12 13:14:14 EDT 2002

Hugo Ferr wrote:
> I just wonder-we're getting hit by bunch of nimda and those e-mails are
> rejected on our perimeter mail scanner - shouldn't I see some activity in
> snort regarding nimda?
> (snort 1.8.6)
> In snort.conf mail scanner is included in home_net and snort machine is set
> up to sniff the traffic coming to firewall public ip (mail scanner has dmz
> address nated to public ip by firewall)
> So again isn't it strange taht I don't see any nimda activity in snort
> sdensor?

Maybe I am missing something here, and it would not be the first nor the
last time that I missed something but wouldn't your mail scanner be
picking traffic up on port 25? Nimda attacks would be on port 80.
Furthermore, are you saying that the nimda is part of the email traffic?
Not sure what you are saying here. Maybe you could elucidate for us...


J. Craig Woods
UNIX Network/System Administration
Character is built upon the debris of despair --Emerson

More information about the Snort-users mailing list