Mailing List Archive
Support open source code!
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Ramen worm and Snort log entry
- To: Tokyo Linux Users Group <tlug@example.com>
- Subject: Ramen worm and Snort log entry
- From: Subba Rao <subba9@example.com>
- Date: Sun, 17 Jun 2001 09:07:52 +0000
- Content-Disposition: inline
- Content-Type: text/plain; charset=us-ascii
- Reply-To: Subba Rao <subba9@example.com>
- Resent-From: tlug@example.com
- Resent-Message-ID: <mdnW4D.A.QdD.8sKL7@example.com>
- Resent-Sender: tlug-request@example.com
I have the following rules in my snort.conf and max-vision.conf, that should enter a log entry into the "alerts" file for a Ramen worm probe. ==================================================================== alert TCP $EXTERNAL 27374 -> $INTERNAL any (msg: "IDS485/trojan-active-subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;) alert TCP $EXTERNAL any -> $INTERNAL 27374 (msg: "IDS460/worm-ramen-asp-retriev al-incoming"; flags: A+; content: "GET "; depth: 8; nocase;) alert TCP $INTERNAL any -> $EXTERNAL 27374 (msg: "IDS461/worm-ramen-asp-retriev al-outgoing"; flags: A+; content: "GET "; depth: 8; nocase;) alert TCP $EXTERNAL 27374 -> $INTERNAL any (msg: "IDS279/trojan-active-subseven 21"; flags: SA; reference:arachnids,279;) alert tcp $INTERNAL any -> $EXTERNAL 27374 (msg: "IDS461 - Ramen worm outgoing"; flags: PA; content: "GET "; depth: 8; nocase;) alert tcp $EXTERNAL any -> $INTERNAL 27374 (msg: "IDS460 - Ramen worm incoming"; flags: PA; content: "GET "; depth: 8; nocase;) ==================================================================== I am also running tcpdump seperately to watch the traffic inbound and outbound. The tcpdump logs and syslogs (ipchains entries) show quite a few probes for the Ramen trojan. The Snort logs do not have any entries in the "alert" or "portscan.log" files. The following are the preprocessors in the snort.conf file. I have changed the IP addresses of the systems/network here. ==================================================================== var INTERNAL 192.168.1.0/24 var EXTERNAL !$INTERNAL var DNS_SERVERS 192.168.1.5/24 preprocessor http_decode: 80 8080 preprocessor minfrag: 128 preprocessor portscan: 1.1.1.1/2 5 3 portscan.log preprocessor portscan-ignorehosts: 192.168.1.0/24 #include /usr/security/snort/etc/snort-vision.conf output alert_full: alert ==================================================================== Why is Snort not logging any information about these trojan related alerts? Thank you in advance for any help. -- Subba Rao subba9@example.com http://members.home.net/subba9/ GPG public key ID 27FC9217 Key fingerprint = 2B4C 498E 1860 5A2B 6570 5852 7527 882A 27FC 9217
- Follow-Ups:
- Re: Ramen worm and Snort log entry
- From: Noah <nevans@example.com>
- Re: Ramen worm and Snort log entry
- Prev by Date: Linux fax server tutorial
- Next by Date: Binary - ASCII difference ?
- Prev by thread: Re: Linux fax server tutorial
- Next by thread: Re: Ramen worm and Snort log entry
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |