[Snort-users] Re: RE: Re: New Sasser Worm Signatures
This is a discussion on [Snort-users] Re: RE: Re: New Sasser Worm Signatures within the Snort forums, part of the System Security and Security Related category; Kevin, Your explaination makes total sense. Since the only thing off of the cable modem is the sensor itself I ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-11-2004
|
|||
|
|||
[Snort-users] Re: RE: Re: New Sasser Worm Signatures
Kevin,
Your explaination makes total sense. Since the only thing off of the cable modem is the sensor itself I noticed that the only alerts I'm generating are services that I'm advertising (http, sql...etc). Since Sasser is a Windows vunerablilty and I don't have a Windows computer off of the modem , could that be possibly why I havn't seen an alert? Will Snort only generate alerts if it identifies an attack AND a there is a service runnning on a computer on the netwrok it is sensing on? Also you mentioned that I could create a rule where I could possibly capture all alerts. Could you elaborate on this? Thanks! Alan ----- Original Message ----- From: Kevin Binsfield <kbinsfield@safedge.com> Date: Tuesday, May 11, 2004 12:17 pm Subject: RE: Re: New Sasser Worm Signatures > FYI > > Just checked an edge sensor at a small NOC, no firewall, mostly > *IX rail > for all NMAP Ping alerts as this seems to be a good indicator of > SASSER.For last 2 months there are No hits at all until 4-29. Then > starting up > again on 5-3 increased every day to 90+ then it's been slacking > off snce > then. Currently about 30+/day. > > -----Original Message----- > From: Kevin Binsfield [kbinsfield@safedge.com] > Sent: Tuesday, May 11, 2004 2:57 PM > To: 'ids@san.rr.com' > Subject: Re: New Sasser Worm Signatures > > > Wise words of Allan (Paller?) > (I'm digest mode so can't see your headers,etc but anyway) > > >> > Message: 3 > > From: "Alan" <ids@san.rr.com> > To: <snort-users@lists.sourceforge.net> > Date: Tue, 11 May 2004 01:57:30 -0700 > Subject: [Snort-users] New Sasser Worm Signatures > > Hi Everyone- > > I'm testing a Snort Sensor off of a cable modem running version > 2.1.1 for the past few weeks. I'm using IDS Policy Manager and using > their snortrules-current.zip, which I assume, is Snort.org's > snortrules-snapshot-CURRENT.tar.gz. I have the latest rules for the > Sasser worm and I've noticed I have not been hit once from it. Is this > unusual? I figured after reading how fast the worm is spreading I > wouldhave at least seen it hit the sensor a few times. Could it be > that my > ISP is filtering the worm somehow? To be honest I don't even see a > widevariety of attacks on my sensor. The most common are Slammer, > ShellCodeNOOPS, WEB-IIS unicode directory traversal attempts and > Code Red. That's > about it. I know the sensor is functioning properly, if I hit it with > the CIS scanner alerts go off like crazy but because I'm using the > sensor to collect data on attacks it's kind of disappointing not > to see > a greater variety of attacks. Is there something I might be doing > wrongthat might not allow my Snort not to pick up certain attacks? Any > feedback would be greatly appreciated. > > > <snip> > > ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg...rom=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
