Snort mailing list archives
Re: Who doesn't care about virus rules, and why?
From: Snortty <cwcwcwg () yahoo com>
Date: Thu, 6 Nov 2003 08:37:32 -0800 (PST)
Yes, William, Would you mind posting your rules to illustrate the point please? One objective for our snort IDS to be installed on our network backborne is to be faster in respond to the worm incidents like those ones occurred recently and it would help great deal if your way really works. Thanks in advance. S.W. --- Iain Hallam <ccidsh () swarfega plus com> wrote:
Williams Jon wrote:What we've ended up doing is monitoring thedefault route path forour network and watching for either TCP SYNs thatare going placesthey shouldn't or TCP RST packets generated eitherby the firewall orthe odd host that is actually hit. Withthresholding, we cangenerate fairly useful alerts in cases where, inBlaster's case, onesource address sends out TCP port 135 SYN packetsto more than Xnumber of hosts in Y period of time. This is soreliable, in nearlyevery case we've used it on, that we are able toauto-generate emailalerts that go to someone else to actually _deal_with the problemrather than making the IDS staff track down andcall each victimindependantly.We're doing something similar with ICMP on our network, but how can you tell the difference between large numbers of hosts and large numbers of packets to a single host? Would you mind posting one of your rules to illustrate the point? Thanks, Iain.
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Who doesn't care about virus rules, and why? Williams Jon (Nov 06)
- Re: Who doesn't care about virus rules, and why? Iain Hallam (Nov 06)
- Re: Who doesn't care about virus rules, and why? Snortty (Nov 06)
- RE: Who doesn't care about virus rules, and why? Jason Haar (Nov 06)
- <Possible follow-ups>
- RE: Who doesn't care about virus rules, and why? Schmehl, Paul L (Nov 06)
- Re: Who doesn't care about virus rules, and why? kenw (Nov 06)
- RE: Who doesn't care about virus rules, and why? Williams Jon (Nov 06)
- Re: Who doesn't care about virus rules, and why? Iain Hallam (Nov 06)