Snort mailing list archives

RE: DOS rules for Nimda

From: "Tudor Panaitescu" <tpanaitescu () colorcon com>
Date: Thu, 26 Sep 2002 10:37:48 -0400





Even Better (assuming that you have Cisco):

http://www.cisco.com/warp/public/63/nimda.shtml

Enjoy,
T
|-------+------------------------------------------------------|
|       |                                                      |
|-------+------------------------------------------------------|
|   To: |   "Richard Ellerbrock" <richarde () eskom co za>,       |
|       |   snort-users () lists sourceforge net                  |
|-------+------------------------------------------------------|
|   cc: |   (bcc: Tudor Panaitescu/ColorconUS)                 |
|-------+------------------------------------------------------|
|       |                                                      |
|-------+------------------------------------------------------|
|   Subj|   RE: [Snort-users] DOS rules for Nimda              |
|   ect:|                                                      |
|       |                                                      |
|-------+------------------------------------------------------|










[IMAGE]
First things first, forget intrusion detection.


 Implement some good ACL's at
the border, and prevent the web servers from initiating any outside connections:

access-list 110 permit tcp host x.x.x.x eq 80 any established
access-list 110 permit tcp host x.x.x.x eq 443 any established

Apply this inbound on the segment Ethernet interface (assuming Cisco here).
Legitimate traffic will not be affected, as those connections will be
established when the interface sees them inbound (this is actually outbound
traffic, but is not filtered as such until it reaches a serial interface).  This
will do three things:

1) It will stop the worm from propagating,
2) It will free up your router's resources, and
3) Keep the outgoing flood off of your Internet pipe

Once you've done that, then you can set up a simple Snort sensor on a monitoring
port (likely monitoring the uplink from your core switch to your router's
Ethernet interface).  All you need to do is download and compile Snort, test
according to the USAGE guidelines, set your home net, and let 'er rip.  The
snort.conf defaults should be just fine for catching and logging these systems,
and no configuration of stream4 should no necessary in this instance.

Cheers

Keith

-----Original Message-----
From: Richard Ellerbrock [mailto:richarde () eskom co za]
Sent: Thursday, September 26, 2002 7:12 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] DOS rules for Nimda

I am trying to help a very large site that is being killed by
denial of
service due to a large number of MS type workstations
infected by Nimda.
The standard snort rules are no good as no connection is
actually made,
just a HUGE SYN flood looking for open Web servers to infect. Traffic
looks like this:

Each host sends 2x SYN packets exactly the same (same source port, SEQ
and WIN size) to a remote host on port 80. Obviously never
gets a reply.
Within a couple of milliseconds, tries another randon destination.

Now my understanding of snort points to the stream4 processor to catch
this stuff, but how to configure. The docs are a little
unclear to this
snort newbie. I do get TTL evasion on stream4, but this does not
indicate much.

Any help with rules/setup for this would be great.

-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?listsnort-users

(Embedded image moved to file: pic27117.pcx)

Attachment: pic27117.pcx
Description:

Current thread:

DOS rules for Nimda Richard Ellerbrock (Sep 26)
- Re: DOS rules for Nimda Chris Green (Sep 26)
- Re: DOS rules for Nimda Martin Roesch (Sep 26)
- <Possible follow-ups>
- RE: DOS rules for Nimda McCammon, Keith (Sep 26)
- RE: DOS rules for Nimda Tudor Panaitescu (Sep 26)
- RE: DOS rules for Nimda Richard Ellerbrock (Sep 26)
- Re: DOS rules for Nimda Richard Ellerbrock (Sep 26)
- RE: DOS rules for Nimda Madziarczyk, Jonathan (Sep 26)
- RE: DOS rules for Nimda Richard Ellerbrock (Sep 26)