Re: [Snort-users] Who doesn't care about virus rules, and why?

Williams Jon wrote:
> What we've ended up doing is monitoring the default route path for
> our network and watching for either TCP SYNs that are going places
> they shouldn't or TCP RST packets generated either by the firewall or
> the odd host that is actually hit. With thresholding, we can
> generate fairly useful alerts in cases where, in Blaster's case, one
> source address sends out TCP port 135 SYN packets to more than X
> number of hosts in Y period of time. This is so reliable, in nearly
> every case we've used it on, that we are able to auto-generate email
> alerts that go to someone else to actually _deal_ with the problem
> rather than making the IDS staff track down and call each victim
> independantly.

We're doing something similar with ICMP on our network, but how can you
tell the difference between large numbers of hosts and large numbers of
packets to a single host? Would you mind posting one of your rules to
illustrate the point?

Thanks,

Iain.



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users