[Techtalk] Nimda specific logging with Snort
Subba Rao
subba9 at home.com
Mon Oct 15 11:21:41 EST 2001
This is the way I am invoking Snort on my Slackware 8 system.
snort -D -bo -g snort -u snort -i eth2 -t /usr/local/snort -l ./logs -c etc/snort.conf -A fast -z est 2>&1
The snort.conf has default settings for the most part.
The VARs have my network settings. There are hosts/segments
that I have defined to ignore. The only addition is to add the
nimda specific rules.
======== SNORT.CONF =========
ruletype nimda
{
type alert
output alert_fast: nimda.log
}
config order: nimda activation dynamic alert log pass
include nimda.rules
======== END SNORT.CONF =========
======== NIMDA.RULES ========
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS multiple \
decode attempt"; flags:A+; uricontent:"%5c"; uricontent:".."; \
reference:cve,CAN-2001-0333;classtype:attempted-user; sid:970; rev:2;)
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS msdac \
access"; flags:A+; uricontent:"/msdac/"; nocase; classtype:bad-unknown; \
sid:1285; rev:1;)
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS _mem_bin \
access"; flags:A+; uricontent:"/_mem_bin/"; nocase; classtype:bad-unknown; \
sid:1286; rev:1;)
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS scripts \
access"; flags:A+; uricontent:"/scripts/"; nocase; classtype:bad-unknown; \
sid:1287; rev:1;)
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe \
access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; \
sid:1002; rev:1;)
nimda udp any any -> any 69 (msg:"TFTP GET Admin.dll"; content: "|41 64 6D \
69 6E 2E 64 6C 6C 00 6F 63 74 65 74|"; classtype:successful-admin; \
sid:1289; rev:1; reference:url,www.cert.org/advisories/CA-2001-26.html;)
nimda tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml \
autoload attempt"; flags:A+; content:"window.open("readme.eml""; nocase; \
classtype:attempted-user; sid:1290; rev:2; \
reference:url,www.cert.org/advisories/CA-2001-26.html;)
nimda tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml \
attempt"; flags:A+; uricontent:"readme.eml"; nocase; \
classtype:attempted-user; sid:1284; rev:3; \
reference:url,www.cert.org/advisories/CA-2001-26.html;)
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE \
/_vti_bin/ access";flags: A+; uricontent:"/_vti_bin/"; nocase; \
classtype:bad-unknown; sid:1288; rev:1;)
======== END NIMDA.RULES ========
I have even added "logto" option at the end of the rule. Event that
is not making a difference.
======== NIMDA.RULES ========
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS multiple \
decode attempt"; flags:A+; uricontent:"%5c"; \
uricontent:"..";reference:cve,CAN-2001-0333;classtype:attempted-user; \
sid:970; rev:2; logto: "nimda.log";)
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS msdac \
access"; flags:A+; uricontent:"/msdac/"; nocase; classtype:bad-unknown; \
sid:1285; rev:1; logto: "nimda.log";)
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS _mem_bin \
access"; flags:A+; uricontent:"/_mem_bin/"; nocase; classtype:bad-unknown; \
sid:1286; rev:1; logto: "nimda.log";)
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS scripts \
access"; flags:A+; uricontent:"/scripts/"; nocase; classtype:bad-unknown; \
sid:1287; rev:1; logto: "nimda.log";)
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe \
access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; \
sid:1002; rev:1; logto: "nimda.log";)
nimda udp any any -> any 69 (msg:"TFTP GET Admin.dll"; content: "|41 64 6D \
69 6E 2E 64 6C 6C 00 6F 63 74 65 74|"; classtype:successful-admin; \
sid:1289; rev:1; reference:url,www.cert.org/advisories/CA-2001-26.html; \
logto: "nimda.log";)
nimda tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml \
autoload attempt"; flags:A+; content:"window.open("readme.eml""; nocase; \
classtype:attempted-user; sid:1290; rev:2; \
reference:url,www.cert.org/advisories/CA-2001-26.html; logto: "nimda.log";)
nimda tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml \
attempt"; flags:A+; uricontent:"readme.eml"; nocase; \
classtype:attempted-user; sid:1284; rev:3; \
reference:url,www.cert.org/advisories/CA-2001-26.html; logto: "nimda.log";)
nimda tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE \
/_vti_bin/ access";flags: A+; uricontent:"/_vti_bin/"; nocase; \
classtype:bad-unknown; sid:1288; rev:1; logto: "nimda.log";)
======== END NIMDA.RULES ========
Bottom line question, Where is my nimda.log? What am I doing wrong in
this configuration?
Thank you in advance for any solution.
--
Subba Rao
subba9 at home.com http://members.home.net/subba9/
OpenPGP/GPG public key ID CCB7344E
=> Time is relative. Here is a new way to look at time. <=
http://www.smcinnovations.com
More information about the Techtalk
mailing list