[Snort-users] Alerts question

Scott Zawalski scott.zawalski at ...5689...
Fri Jul 16 08:53:13 EDT 2004


Snort will be able to detect it while it is being infected. It just 
parses packets, meaning the packet is already on its way to the machine. 
There is no positive or negative if the machine is actually infected 
though. Snort is just detecting the attack.

What do you mean by Nessus detects this? If you mean Nessus detects if a 
machine is vulnerable then that is because it is a non-passive security 
scanner and these results can only be obtained via non-passive scanning. 
Something Snort was not intended for.


Scott

Randy Ramsdell wrote:

>
>
> Scott Zawalski wrote:
>
>> If you are using the standard rule set then you should see some trips 
>> on the readme.eml content:
>>
>> Rules  1284 and 1290. 
>> (http://www.snort.org/cgi-bin/sigs-search.cgi?sid=readme.eml)
>>
>> As far as a specific CodeRed sid only 1256 applies for CodeRed v2 
>> rule and it looks for /root.exe uricontent
>> (http://www.snort.org/snort-db/sid.html?sid=1256)
>>
>> Scott
>
>
>
> That is what I thought, but somehow the infected systems do not 
> trigger snort. Obviously there is something amiss, but I can't figure 
> it out.  I will have to look into this in detail because I want to 
> know when a "non" infectable system even goes to a site that is 
> infected. Nessus was able to detect this.
>
> What does it take for snort to detect?
> Does the "readme.eml" have to infect a system before snort detects it? 
> Or will snort be able to detect before infection?
>
> RCR
> RCR
>
>>
>> Randy Ramsdell wrote:
>>
>>>
>>> I have been getting scanned daily by a host that is infected with 
>>> "code red". Obviously a web server is running on it and I went there 
>>> and found the typical script trying to push "readme.eml."
>>>
>>> So, shouldn't snort catch this?
>>>
>>> I just need to know if it should without getting into specifics of 
>>> my configuration.
>>>
>>> I read that snort should detect "code red" if you go the the sight, 
>>> but I am not sure if this is true.
>>>
>>
>
>





More information about the Snort-users mailing list