[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Ramen worm and Snort log entry
- To: Israeli Linux Users <linux-il(at-nospam)linux.org.il>
- Subject: Ramen worm and Snort log entry
- From: Subba Rao <subba9(at-nospam)home.com>
- Date: Sun, 17 Jun 2001 08:29:32 +0000
- Delivered-To: linux.org.il-linux-il@linux.org.il
- Reply-To: Subba Rao <subba9(at-nospam)home.com>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
I have the following rules in my snort.conf and max-vision.conf, that should
enter a log entry into the "alerts" file for a Ramen worm probe.
====================================================================
alert TCP $EXTERNAL 27374 -> $INTERNAL any (msg: "IDS485/trojan-active-subseven
22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;)
alert TCP $EXTERNAL any -> $INTERNAL 27374 (msg: "IDS460/worm-ramen-asp-retriev
al-incoming"; flags: A+; content: "GET "; depth: 8; nocase;)
alert TCP $INTERNAL any -> $EXTERNAL 27374 (msg: "IDS461/worm-ramen-asp-retriev
al-outgoing"; flags: A+; content: "GET "; depth: 8; nocase;)
alert TCP $EXTERNAL 27374 -> $INTERNAL any (msg: "IDS279/trojan-active-subseven
21"; flags: SA; reference:arachnids,279;)
alert tcp $INTERNAL any -> $EXTERNAL 27374 (msg: "IDS461 - Ramen worm outgoing";
flags: PA; content: "GET "; depth: 8; nocase;)
alert tcp $EXTERNAL any -> $INTERNAL 27374 (msg: "IDS460 - Ramen worm incoming";
flags: PA; content: "GET "; depth: 8; nocase;)
====================================================================
I am also running tcpdump seperately to watch the traffic inbound and outbound.
The tcpdump logs and syslogs (ipchains entries) show quite a few probes for
the Ramen trojan. The Snort logs do not have any entries in the "alert" or
"portscan.log" files.
The following are the preprocessors in the snort.conf file. I have changed the
IP addresses of the systems/network here.
====================================================================
var INTERNAL 192.168.1.0/24
var EXTERNAL !$INTERNAL
var DNS_SERVERS 192.168.1.5/24
preprocessor http_decode: 80 8080
preprocessor minfrag: 128
preprocessor portscan: 1.1.1.1/2 5 3 portscan.log
preprocessor portscan-ignorehosts: 192.168.1.0/24
#include /usr/security/snort/etc/snort-vision.conf
output alert_full: alert
====================================================================
Why is Snort not logging any information about these trojan related alerts?
Thank you in advance for any help.
--
Subba Rao
subba9@home.com
http://members.home.net/subba9/
GPG public key ID 27FC9217
Key fingerprint = 2B4C 498E 1860 5A2B 6570 5852 7527 882A 27FC 9217
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il