Snort mailing list archives
RE: Who doesn't care about virus rules, and why?
From: "Jason Haar" <Jason.Haar () xch trimble co nz>
Date: Fri, 7 Nov 2003 05:44:22 +1300 (NZDT)
Williams Jon said:
The majority of worms that I've seen, with the notable exception of SQLSlammer, are TCP-based. They also use a randomization technique to spread beyond their local subnet. What this ends up meaning is that something like 90% of the time (in networks I monitor), the worm tries to connect to non-existant or unreachable IP addresses. In these cases, if you're only looking for the worm-specific data within the session, your rules won't trigger - all that passes the sensor (if anything) is the TCP SYN packet and maybe a TCP RST.
So true. Here I managed to "merge" the projects of implementing IDS with centralized logging and alerting - to the extent that we now have places our firewall and router ACL block records get recorded to, and something that triggers alerts based on them (the important bit). Being able to trigger alerts when port 135 packets are blocked can give you *hours* of a head start on finding and cleaning a BLASTER PC, before it gets around to scaning a subnet that actually would work. Waiting on the IDS to show you it actually infecting another machine isn't so pro-active. Of course, False Positivies with the ACL alerts are a lot more of an issue. e.g. we found that our Exchange admins set off the rule whenever they were using the Message Tracking tool - it causes Exchange to make port 135 connections to every SMTP server a mail message routes through - sigh! Jason ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Who doesn't care about virus rules, and why? Williams Jon (Nov 06)
- Re: Who doesn't care about virus rules, and why? Iain Hallam (Nov 06)
- Re: Who doesn't care about virus rules, and why? Snortty (Nov 06)
- RE: Who doesn't care about virus rules, and why? Jason Haar (Nov 06)
- <Possible follow-ups>
- RE: Who doesn't care about virus rules, and why? Schmehl, Paul L (Nov 06)
- Re: Who doesn't care about virus rules, and why? kenw (Nov 06)
- RE: Who doesn't care about virus rules, and why? Williams Jon (Nov 06)
- Re: Who doesn't care about virus rules, and why? Iain Hallam (Nov 06)