New Sasser Worm Signatures

["Alan" <ids () san rr com>]

Hi Everyone-

        I'm testing a Snort Sensor off of a cable modem running version 2.1.1 for
the past few weeks. I'm using IDS Policy Manager and using their
snortrules-current.zip, which I assume, is Snort.org's
snortrules-snapshot-CURRENT.tar.gz. I have the latest rules for the Sasser
worm and I've noticed I have not been hit once from it. Is this unusual?  I
figured after reading how fast the worm is spreading I would have at least
seen it hit the sensor a few times. Could it be that my ISP is filtering the
worm somehow? To be honest I don't even see a wide variety of attacks on my
sensor. The most common are Slammer, ShellCode NOOPS, WEB-IIS unicode
directory traversal attempts and Code Red. That's about it. I know the
sensor is functioning properly, if I hit it with the CIS scanner alerts go
off like crazy but because I'm using the sensor to collect data on attacks
it's kind of disappointing not to see a greater variety of attacks. Is there
something I might be doing wrong that might not allow my Snort not to pick
up certain attacks? Any feedback would be greatly appreciated.




Thanks in advance!


Alan

I'm doing a (free) operating system (just a hobby, won't be big and
professional like gnu) for 386(486) AT clones.

Linus (torvalds () kruuna helsinki fi)
Date: 1991-08-25 23:12:08 PST




-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users