Re: Who doesn't care about virus rules, and why?

[Iain Hallam <ccidsh () swarfega plus com>]

Williams Jon wrote:
> What we've ended up doing is monitoring the default route path for
> our network and watching for either TCP SYNs that are going places
> they shouldn't or TCP RST packets generated either by the firewall or
> the odd host that is actually hit.  With thresholding, we can
> generate fairly useful alerts in cases where, in Blaster's case, one
> source address sends out TCP port 135 SYN packets to more than X
> number of hosts in Y period of time.  This is so reliable, in nearly
> every case we've used it on, that we are able to auto-generate email
> alerts that go to someone else to actually _deal_ with the problem
> rather than making the IDS staff track down and call each victim
> independantly.

We're doing something similar with ICMP on our network, but how can you 
tell the difference between large numbers of hosts and large numbers of 
packets to a single host? Would you mind posting one of your rules to 
illustrate the point?

Thanks,

Iain.



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users