Re: RE: [Snort-users] New Sasser Worm Signatures
This is a discussion on Re: RE: [Snort-users] New Sasser Worm Signatures within the Snort forums, part of the System Security and Security Related category; Paul=2C No I don=27t have a firewall between Snort and the cable modem or inside = the sensor=2E = ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-11-2004
|
|||
|
|||
Re: RE: [Snort-users] New Sasser Worm Signatures
Paul=2C
No I don=27t have a firewall between Snort and the cable modem or inside = the sensor=2E = Thanks! Alan ----- Original Message ----- From=3A =22Sheahan=2C Paul=22 =3CPaul=2ESheahan=40priceline=2Ecom=3E Date=3A Tuesday=2C May 11=2C 2004 10=3A59 am Subject=3A RE=3A =5BSnort-users=5D New Sasser Worm Signatures =3E Alan=2C = =3E = =3E Do you have your sensor inside your firewall=3F Assuming so=2C then y= our =3E firewall will block many attacks before they reach your sensor=2E =3E = =3E Example=3A Sasser scans for port 445=2C if your firewall blocks 445 (= it =3E should!)=2C then the sensor inside the firewall will not see anything= =2E =3E = =3E Other things like slammer have died out quite a bit and won=27t be = =3E seen as =3E much as they used to=2E = =3E = =3E Paul Sheahan =3E Information Security Manager =3E Priceline=2Ecom =3E = =3E = =3E -----Original Message----- =3E From=3A snort-users-admin=40lists=2Esourceforge=2Enet =3E =5Bsnort-users-admin=40lists=2Esourceforge=2Enet=5D On Behalf Of Alan= =3E Sent=3A Tuesday=2C May 11=2C 2004 4=3A58 AM =3E To=3A snort-users=40lists=2Esourceforge=2Enet =3E Subject=3A =5BSnort-users=5D New Sasser Worm Signatures =3E = =3E Hi Everyone- =3E = =3E I=27m testing a Snort Sensor off of a cable modem running version =3E 2=2E1=2E1 for =3E the past few weeks=2E I=27m using IDS Policy Manager and using their =3E snortrules-current=2Ezip=2C which I assume=2C is Snort=2Eorg=27s =3E snortrules-snapshot-CURRENT=2Etar=2Egz=2E I have the latest rules for= the =3E Sasser =3E worm and I=27ve noticed I have not been hit once from it=2E Is this = =3E unusual=3FI =3E figured after reading how fast the worm is spreading I would have at =3E least =3E seen it hit the sensor a few times=2E Could it be that my ISP is = =3E filteringthe =3E worm somehow=3F To be honest I don=27t even see a wide variety of = =3E attacks on =3E my =3E sensor=2E The most common are Slammer=2C ShellCode NOOPS=2C WEB-IIS u= nicode =3E directory traversal attempts and Code Red=2E That=27s about it=2E I k= now the =3E sensor is functioning properly=2C if I hit it with the CIS scanner = =3E alertsgo =3E off like crazy but because I=27m using the sensor to collect data on =3E attacks =3E it=27s kind of disappointing not to see a greater variety of = =3E attacks=2E Is =3E there =3E something I might be doing wrong that might not allow my Snort not to= =3E pick =3E up certain attacks=3F Any feedback would be greatly appreciated=2E =3E = =3E = =3E = =3E = =3E Thanks in advance! =3E = =3E = =3E Alan =3E = =3E I=27m doing a (free) operating system (just a hobby=2C won=27t be big= and =3E professional like gnu) for 386(486) AT clones=2E =3E = =3E Linus (torvalds=40kruuna=2Ehelsinki=2Efi) =3E Date=3A 1991-08-25 23=3A12=3A08 PST =3E = =3E = =3E = =3E = =3E ------------------------------------------------------- =3E This SF=2ENet email is sponsored by Sleepycat Software =3E Learn developer strategies Cisco=2C Motorola=2C Ericsson =26 Lucent u= se = =3E to = =3E deliver higher performing products faster=2C at low TCO=2E =3E http=3A//www=2Esleepycat=2Ecom/telcomwpreg=2Ephp=3FFrom=3Dosdnemail3 =3E =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5 F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5 F=5F=5F=5F=5F=5F=5F=5F =3E Snort-users mailing list =3E Snort-users=40lists=2Esourceforge=2Enet =3E Go to this URL to change user options or unsubscribe=3A =3E https=3A//lists=2Esourceforge=2Enet/lists/listinfo/snort-users =3E Snort-users list archive=3A =3E http=3A//www=2Egeocrawler=2Ecom/redir-sf=2Ephp3=3Flist=3Dsnort-users =3E = =3E = =3E ------------------------------------------------------- =3E This SF=2ENet email is sponsored by Sleepycat Software =3E Learn developer strategies Cisco=2C Motorola=2C Ericsson =26 Lucent u= se = =3E to = =3E deliver higher performing products faster=2C at low TCO=2E =3E http=3A//www=2Esleepycat=2Ecom/telcomwpreg=2Ephp=3FFrom=3Fdnemail3 =3E =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5 F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5 F=5F=5F=5F=5F=5F=5F=5F =3E Snort-users mailing list =3E Snort-users=40lists=2Esourceforge=2Enet =3E Go to this URL to change user options or unsubscribe=3A =3E https=3A//lists=2Esourceforge=2Enet/lists/listinfo/snort-users =3E Snort-users list archive=3A =3E http=3A//www=2Egeocrawler=2Ecom/redir-sf=2Ephp3=3Flist=D7ort-users =3E ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg...rom=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
