Snort mailing list archives
Re: RE: Re: New Sasser Worm Signatures
From: ids () san rr com
Date: Tue, 11 May 2004 12:47:14 -0700
Kevin, Your explaination makes total sense. Since the only thing off of the cable modem is the sensor itself I noticed that the only alerts I'm generating are services that I'm advertising (http, sql...etc). Since Sasser is a Windows vunerablilty and I don't have a Windows computer off of the modem , could that be possibly why I havn't seen an alert? Will Snort only generate alerts if it identifies an attack AND a there is a service runnning on a computer on the netwrok it is sensing on? Also you mentioned that I could create a rule where I could possibly capture all alerts. Could you elaborate on this? Thanks! Alan ----- Original Message ----- From: Kevin Binsfield <kbinsfield () safedge com> Date: Tuesday, May 11, 2004 12:17 pm Subject: RE: Re: New Sasser Worm Signatures
FYI Just checked an edge sensor at a small NOC, no firewall, mostly *IX rail for all NMAP Ping alerts as this seems to be a good indicator of SASSER.For last 2 months there are No hits at all until 4-29. Then starting up again on 5-3 increased every day to 90+ then it's been slacking off snce then. Currently about 30+/day. -----Original Message----- From: Kevin Binsfield [kbinsfield () safedge com] Sent: Tuesday, May 11, 2004 2:57 PM To: 'ids () san rr com' Subject: Re: New Sasser Worm Signatures Wise words of Allan (Paller?) (I'm digest mode so can't see your headers,etc but anyway)Message: 3 From: "Alan" <ids () san rr com> To: <snort-users () lists sourceforge net> Date: Tue, 11 May 2004 01:57:30 -0700 Subject: [Snort-users] New Sasser Worm Signatures Hi Everyone- I'm testing a Snort Sensor off of a cable modem running version 2.1.1 for the past few weeks. I'm using IDS Policy Manager and using their snortrules-current.zip, which I assume, is Snort.org's snortrules-snapshot-CURRENT.tar.gz. I have the latest rules for the Sasser worm and I've noticed I have not been hit once from it. Is this unusual? I figured after reading how fast the worm is spreading I wouldhave at least seen it hit the sensor a few times. Could it be that my ISP is filtering the worm somehow? To be honest I don't even see a widevariety of attacks on my sensor. The most common are Slammer, ShellCodeNOOPS, WEB-IIS unicode directory traversal attempts and Code Red. That's about it. I know the sensor is functioning properly, if I hit it with the CIS scanner alerts go off like crazy but because I'm using the sensor to collect data on attacks it's kind of disappointing not to see a greater variety of attacks. Is there something I might be doing wrongthat might not allow my Snort not to pick up certain attacks? Any feedback would be greatly appreciated. <snip>
------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New Sasser Worm Signatures Alan (May 11)
- <Possible follow-ups>
- RE: New Sasser Worm Signatures Sheahan, Paul (May 11)
- Re: RE: New Sasser Worm Signatures ids (May 11)
- Re: RE: Re: New Sasser Worm Signatures ids (May 11)