[Techtalk] Nimda specific logging with Snort

Subba Rao subba9 at home.com
Mon Oct 15 11:21:41 EST 2001


This is the way I am invoking Snort on my Slackware 8 system.

snort -D -bo -g snort -u snort -i eth2 -t /usr/local/snort -l ./logs -c etc/snort.conf -A fast -z est 2>&1


The snort.conf has default settings for the most part.
The VARs have my network settings. There are hosts/segments
that I have defined to ignore. The only addition is to add the
nimda specific rules.

======== SNORT.CONF =========

ruletype nimda
{
  type alert
  output alert_fast: nimda.log
}

config order: nimda activation dynamic alert log pass

include nimda.rules

======== END SNORT.CONF =========


======== NIMDA.RULES ========

nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS multiple \
decode attempt";  flags:A+; uricontent:"%5c"; uricontent:".."; \
reference:cve,CAN-2001-0333;classtype:attempted-user; sid:970; rev:2;)

nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS msdac \
access"; flags:A+; uricontent:"/msdac/"; nocase; classtype:bad-unknown; \
sid:1285; rev:1;)

nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS _mem_bin \
access"; flags:A+; uricontent:"/_mem_bin/"; nocase; classtype:bad-unknown; \
sid:1286; rev:1;)

nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS scripts \
access"; flags:A+; uricontent:"/scripts/"; nocase; classtype:bad-unknown; \
sid:1287; rev:1;)

nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe \
access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; \
sid:1002; rev:1;)

nimda udp any any -> any 69 (msg:"TFTP GET Admin.dll"; content: "|41 64 6D \
69 6E 2E 64 6C 6C 00 6F 63 74 65 74|"; classtype:successful-admin; \
sid:1289; rev:1; reference:url,www.cert.org/advisories/CA-2001-26.html;)

nimda tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml \
autoload attempt"; flags:A+; content:"window.open("readme.eml""; nocase; \
classtype:attempted-user; sid:1290; rev:2; \
reference:url,www.cert.org/advisories/CA-2001-26.html;)

nimda tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml \
attempt"; flags:A+; uricontent:"readme.eml"; nocase; \
classtype:attempted-user; sid:1284; rev:3; \
reference:url,www.cert.org/advisories/CA-2001-26.html;)

nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE \
/_vti_bin/ access";flags: A+; uricontent:"/_vti_bin/"; nocase; \
classtype:bad-unknown; sid:1288; rev:1;)

======== END NIMDA.RULES ========




I have even added "logto" option at the end of the rule. Event that
is not making a difference.




======== NIMDA.RULES ========

nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS multiple \
decode attempt";  flags:A+; uricontent:"%5c"; \
uricontent:"..";reference:cve,CAN-2001-0333;classtype:attempted-user; \
sid:970; rev:2; logto: "nimda.log";)

nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS msdac \
access"; flags:A+; uricontent:"/msdac/"; nocase; classtype:bad-unknown; \
sid:1285; rev:1; logto: "nimda.log";)

nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS _mem_bin \
access"; flags:A+; uricontent:"/_mem_bin/"; nocase; classtype:bad-unknown; \
sid:1286; rev:1; logto: "nimda.log";)

nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS scripts \
access"; flags:A+; uricontent:"/scripts/"; nocase; classtype:bad-unknown; \
sid:1287; rev:1; logto: "nimda.log";)

nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe \
access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; \
sid:1002; rev:1; logto: "nimda.log";)

nimda udp any any -> any 69 (msg:"TFTP GET Admin.dll"; content: "|41 64 6D \
69 6E 2E 64 6C 6C 00 6F 63 74 65 74|"; classtype:successful-admin; \
sid:1289; rev:1; reference:url,www.cert.org/advisories/CA-2001-26.html; \
logto: "nimda.log";)

nimda tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml \
autoload attempt"; flags:A+; content:"window.open("readme.eml""; nocase; \
classtype:attempted-user; sid:1290; rev:2; \
reference:url,www.cert.org/advisories/CA-2001-26.html; logto: "nimda.log";)

nimda tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml \
attempt"; flags:A+; uricontent:"readme.eml"; nocase; \
classtype:attempted-user; sid:1284; rev:3; \
reference:url,www.cert.org/advisories/CA-2001-26.html; logto: "nimda.log";)

nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE \
/_vti_bin/ access";flags: A+; uricontent:"/_vti_bin/"; nocase; \
classtype:bad-unknown; sid:1288; rev:1; logto: "nimda.log";)

======== END NIMDA.RULES ========





Bottom line question, Where is my nimda.log? What am I doing wrong in
this configuration?

Thank you in advance for any solution.

-- 

Subba Rao
subba9 at home.com                     http://members.home.net/subba9/
OpenPGP/GPG public key ID CCB7344E

 => Time is relative. Here is a new way to look at time. <=
http://www.smcinnovations.com




More information about the Techtalk mailing list