On Thu, 19 Jul 2001 10:55:10 -0700 (PDT) Joe Smith <shadowm4nat_private> wrote: > Interesting. I played around with the rules some, and > figured out why snort wasn't finding it with the .ida > rule. Since I'm only logging the first 100 bytes of > data, the .ida rule misses it because part of the > criteria of the rule is for data size to be greater > than 239 bytes. > Ahh... that explains that! my snort was seeing some '.ida?' probes *but* none of the machines that got hit by the red code worm were logged. The external addresses that were detected by snort appear to be probing random addresses on port 80 -- just like the red worm does. Are there two versions out there? Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 20:14:54 PDT