Snort to detect Window worms & scanners etc.

[Jorgen Lundman <lundman () lundman net>]

(Hopefully this will be allowed through - not on the mailling list).

We have the situation here that we use a Solaris box and ipf/ipnat to let all on 
the inside talk to the outside. We don't really need to protect ourselves from 
incoming scans (except on the nat box itself) but rather that the troubles that 
happen most frequently is that the Windows users (so far, 100% only Windows) 
manage to infect themselves with whatever Worm, Trojans, Virus etc. These often 
start scanning, or DDOSing the net.

I would like to find a tool that would mostly look for these patterns. Generally 
it is quite easy to spot them (cycling IPs or mass packet storms) but something 
automatic would be nice. If it would also pick out other questionable packets 
that would be a bonus too.

Presumably it would need its DB regularly updated for whatever new flavour is 
out there.

Is this something snort does? I read the FAQ and got the feeling it was 
concentrating more on attacks, and scans?

I apologise for the noise..

Please CC: me if you reply.

Lund

--
Jorgen Lundman       | <lundman () lundman net>
Unix Administrator   | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo    | +81 (0)90-5578-8500          (cell)
Japan                | +81 (0)3 -3375-1767          (home)


-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users