Re: RE: Re: New Sasser Worm Signatures

[ids () san rr com]

Kevin,

Your explaination makes total sense. Since the only thing off of the cable modem is the sensor itself I noticed that 
the only alerts I'm generating are services that I'm advertising (http, sql...etc). Since Sasser is a Windows 
vunerablilty and I don't have a Windows computer off of the modem , could that be possibly why I havn't seen an alert? 
Will Snort only generate alerts if it identifies an attack AND a there is a service runnning on a computer on the 
netwrok it is sensing on?  


Also you mentioned that I could create a rule where I could possibly capture all alerts. Could you elaborate on this?  


Thanks!


Alan

----- Original Message -----
From: Kevin Binsfield <kbinsfield () safedge com>
Date: Tuesday, May 11, 2004 12:17 pm
Subject: RE: Re: New Sasser Worm Signatures

> FYI
>
> Just checked an edge sensor at a small NOC, no firewall, mostly 
> *IX rail
> for all NMAP Ping alerts as this seems to be a good indicator of 
> SASSER.For last 2 months there are No hits at all until 4-29. Then 
> starting up
> again on 5-3 increased every day to 90+ then it's been slacking 
> off snce
> then. Currently about 30+/day.
>
> -----Original Message-----
> From: Kevin Binsfield [kbinsfield () safedge com] 
> Sent: Tuesday, May 11, 2004 2:57 PM
> To: 'ids () san rr com'
> Subject: Re: New Sasser Worm Signatures
>
>
> Wise words of Allan  (Paller?)
> (I'm digest mode so can't see your headers,etc but anyway)
>
> > >
> Message: 3
>
> From: "Alan" <ids () san rr com>
> To: <snort-users () lists sourceforge net>
> Date: Tue, 11 May 2004 01:57:30 -0700
> Subject: [Snort-users] New Sasser Worm Signatures
>
> Hi Everyone-
>
>       I'm testing a Snort Sensor off of a cable modem running version
> 2.1.1 for the past few weeks. I'm using IDS Policy Manager and using
> their snortrules-current.zip, which I assume, is Snort.org's
> snortrules-snapshot-CURRENT.tar.gz. I have the latest rules for the
> Sasser worm and I've noticed I have not been hit once from it. Is this
> unusual?  I figured after reading how fast the worm is spreading I 
> wouldhave at least seen it hit the sensor a few times. Could it be 
> that my
> ISP is filtering the worm somehow? To be honest I don't even see a 
> widevariety of attacks on my sensor. The most common are Slammer, 
> ShellCodeNOOPS, WEB-IIS unicode directory traversal attempts and 
> Code Red. That's
> about it. I know the sensor is functioning properly, if I hit it with
> the CIS scanner alerts go off like crazy but because I'm using the
> sensor to collect data on attacks it's kind of disappointing not 
> to see
> a greater variety of attacks. Is there something I might be doing 
> wrongthat might not allow my Snort not to pick up certain attacks? Any
> feedback would be greatly appreciated.
>
>
> <snip>



-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users