RE: DOS rules for Nimda

["Richard Ellerbrock" <richarde () eskom co za>]

Getting back to the cisco rule option - not really going to work as it
will be difficult deploying to over 700 routers/sites. All these sites
are on one large Intranet connected via a single Internet connection and
at the Internet connection infront of the firewall is where I have
deployed a sensor. What I have done in the meantime is to scan for TCP
SYN's on port 80 hitting the firewall with destination addresses that
are in the internal 10.0.0.0/8 address space (not all space is used, so
some unknown destinations hit the firewall due to the default route).
This solution is not portable and 100% reliable - also requires my own
rules. See my other note to Martin for the real requirement/solution!

> > > "Madziarczyk, Jonathan" <than () cityofevanston org> 2002/09/26
05:22:53 >>>


> Even Better (assuming that you have Cisco):
>
> http://www.cisco.com/warp/public/63/nimda.shtml 

If you use this, please make sure you have IOS ver 12.2(10a) or
higher.
There's a bug where it doesn't catch all packets if you have a "log"
statement in an ACL that is applied to the same interface.

Otherwise it works great!

My .02
~than


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users