RE: [Snort-users] Who doesn't care about virus rules, and why?
This is a discussion on RE: [Snort-users] Who doesn't care about virus rules, and why? within the Snort forums, part of the System Security and Security Related category; Williams Jon said: > The majority of worms that I've seen, with the notable exception of > SQLSlammer, are ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-06-2003
|
|||
|
|||
RE: [Snort-users] Who doesn't care about virus rules, and why?
Williams Jon said:
> The majority of worms that I've seen, with the notable exception of > SQLSlammer, are TCP-based. They also use a randomization technique to > spread beyond their local subnet. What this ends up meaning is that > something like 90% of the time (in networks I monitor), the worm tries > to connect to non-existant or unreachable IP addresses. In these > cases, if you're only looking for the worm-specific data within the > session, your rules won't trigger - all that passes the sensor (if > anything) is the TCP SYN packet and maybe a TCP RST. So true. Here I managed to "merge" the projects of implementing IDS with centralized logging and alerting - to the extent that we now have places our firewall and router ACL block records get recorded to, and something that triggers alerts based on them (the important bit). Being able to trigger alerts when port 135 packets are blocked can give you *hours* of a head start on finding and cleaning a BLASTER PC, before it gets around to scaning a subnet that actually would work. Waiting on the IDS to show you it actually infecting another machine isn't so pro-active. Of course, False Positivies with the ACL alerts are a lot more of an issue. e.g. we found that our Exchange admins set off the rule whenever they were using the Message Tracking tool - it causes Exchange to make port 135 connections to every SMTP server a mail message routes through - sigh! Jason ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
