[Snort-sigs] TCP sweeps

eltra1n larry.wichman at ...2420...
Mon Dec 13 05:48:13 EST 2004


I had a user log on to my remote access VPN, the users machine was
doing TCP-sweeps on port 445 and I think it may have been infected
with MS Blaster. Does anyone have a suggestion on how I can detect
this type of traffic with Snort. I am thinking of writing a sig that
looks for port 445 traffic and setting a very high threshold, it would
be nice to to re-invent the wheel though. Thanks in advance.

-- 
Lawerence A. Wichman
2719 W Thomas Apt 2
Chicago, Il 60622
773-807-7606




More information about the Snort-sigs mailing list