Snort mailing list archives
RE: DOS rules for Nimda
From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Thu, 26 Sep 2002 10:25:23 -0400
First things first, forget intrusion detection. Implement some good ACL's at the border, and prevent the web servers from initiating any outside connections: access-list 110 permit tcp host x.x.x.x eq 80 any established access-list 110 permit tcp host x.x.x.x eq 443 any established Apply this inbound on the segment Ethernet interface (assuming Cisco here). Legitimate traffic will not be affected, as those connections will be established when the interface sees them inbound (this is actually outbound traffic, but is not filtered as such until it reaches a serial interface). This will do three things: 1) It will stop the worm from propagating, 2) It will free up your router's resources, and 3) Keep the outgoing flood off of your Internet pipe Once you've done that, then you can set up a simple Snort sensor on a monitoring port (likely monitoring the uplink from your core switch to your router's Ethernet interface). All you need to do is download and compile Snort, test according to the USAGE guidelines, set your home net, and let 'er rip. The snort.conf defaults should be just fine for catching and logging these systems, and no configuration of stream4 should no necessary in this instance. Cheers Keith
-----Original Message----- From: Richard Ellerbrock [mailto:richarde () eskom co za] Sent: Thursday, September 26, 2002 7:12 AM To: snort-users () lists sourceforge net Subject: [Snort-users] DOS rules for Nimda I am trying to help a very large site that is being killed by denial of service due to a large number of MS type workstations infected by Nimda. The standard snort rules are no good as no connection is actually made, just a HUGE SYN flood looking for open Web servers to infect. Traffic looks like this: Each host sends 2x SYN packets exactly the same (same source port, SEQ and WIN size) to a remote host on port 80. Obviously never gets a reply. Within a couple of milliseconds, tries another randon destination. Now my understanding of snort points to the stream4 processor to catch this stuff, but how to configure. The docs are a little unclear to this snort newbie. I do get TTL evasion on stream4, but this does not indicate much. Any help with rules/setup for this would be great. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DOS rules for Nimda Richard Ellerbrock (Sep 26)
- Re: DOS rules for Nimda Chris Green (Sep 26)
- Re: DOS rules for Nimda Martin Roesch (Sep 26)
- <Possible follow-ups>
- RE: DOS rules for Nimda McCammon, Keith (Sep 26)
- RE: DOS rules for Nimda Tudor Panaitescu (Sep 26)
- RE: DOS rules for Nimda Richard Ellerbrock (Sep 26)
- Re: DOS rules for Nimda Richard Ellerbrock (Sep 26)
- RE: DOS rules for Nimda Madziarczyk, Jonathan (Sep 26)
- RE: DOS rules for Nimda Richard Ellerbrock (Sep 26)