[Snort-users] No longer seeing exploit traffic on version 2.0.0
cmg at ...1935...
Mon Apr 28 07:25:08 EDT 2003
Lloyd_Ardoin at ...9013... writes:
> 1. (*) text/plain ( ) text/html
> I have been using Snort 1.9.0 and had upgraded to 1.9.1 about 3 weeks ago.
> It is running on a Linux RedHat Dell box on our DMZ. It has been up and
> monitoring for about 3 months. It is configured to log to a mysql database
> and I have the ACID console up and working also. The Snort box has been
> logging about 2 dozen alerts a day on average. Mostly IIS Web exploits. I
> upgraded to the 2.0.0 version on April 23rd and I am no longer getting any
> alerts from Snort. I have created an alert rule in the local.rules file
> that says -
> alert ip !$HOME_NET any -> $HOME_NET any
> which is generating alerts. But I am no longer seeing any alerts on the
> consistent IIS web exploints I have been seeing for the last couple of
> months. I have reviewed everything on my setup but can't seem to come up
> with anything....can anyone provide any suggestions?
Try -A fast -b and see if it's related to ACID or related to snort.
I recommend adding a message
alert ip !$HOME_NET any -> $HOME_NET any (msg: "LOCAL: goofy man";)
Chris Green <cmg at ...1935...>
Laugh and the world laughs with you, snore and you sleep alone.
More information about the Snort-users