RE: [Snort-users] New Sasser Worm Signatures
This is a discussion on RE: [Snort-users] New Sasser Worm Signatures within the Snort forums, part of the System Security and Security Related category; Alan,=20 Do you have your sensor inside your firewall? Assuming so, then your firewall will block many attacks before ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-11-2004
|
|||
|
|||
RE: [Snort-users] New Sasser Worm Signatures
Alan,=20
Do you have your sensor inside your firewall? Assuming so, then your firewall will block many attacks before they reach your sensor. Example: Sasser scans for port 445, if your firewall blocks 445 (it should!), then the sensor inside the firewall will not see anything. Other things like slammer have died out quite a bit and won't be seen as much as they used to.=20 Paul Sheahan Information Security Manager Priceline.com -----Original Message----- From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Alan Sent: Tuesday, May 11, 2004 4:58 AM To: snort-users@lists.sourceforge.net Subject: [Snort-users] New Sasser Worm Signatures Hi Everyone- I'm testing a Snort Sensor off of a cable modem running version 2.1.1 for the past few weeks. I'm using IDS Policy Manager and using their snortrules-current.zip, which I assume, is Snort.org's snortrules-snapshot-CURRENT.tar.gz. I have the latest rules for the Sasser worm and I've noticed I have not been hit once from it. Is this unusual? I figured after reading how fast the worm is spreading I would have at least seen it hit the sensor a few times. Could it be that my ISP is filtering the worm somehow? To be honest I don't even see a wide variety of attacks on my sensor. The most common are Slammer, ShellCode NOOPS, WEB-IIS unicode directory traversal attempts and Code Red. That's about it. I know the sensor is functioning properly, if I hit it with the CIS scanner alerts go off like crazy but because I'm using the sensor to collect data on attacks it's kind of disappointing not to see a greater variety of attacks. Is there something I might be doing wrong that might not allow my Snort not to pick up certain attacks? Any feedback would be greatly appreciated. Thanks in advance! Alan I'm doing a (free) operating system (just a hobby, won't be big and professional like gnu) for 386(486) AT clones. Linus (torvalds@kruuna.helsinki.fi) Date: 1991-08-25 23:12:08 PST ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to=20 deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg...m=3Dosdnemail3 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...=3Dsnort-users ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg...rom=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
