[Snort-sigs] Effective rule for bots

Paul Schmehl pauls at ...1311...
Tue Apr 19 10:54:15 EDT 2005


--On Tuesday, April 19, 2005 12:14:15 PM -0500 Matt Jonkman 
<matt at ...2436...> wrote:

> We've got some similar up on bleeding snort in the scan category:
>
[snipped]
>
> We're going 200 in 60 seconds, which has proven to not false. Is your
> decision to go 500 based on some falses you had at a lower threshold?
>
No.  The original rule was for port 135 and worked well to catch Blaster. 
I chose 500 because it *always* caught Blaster and *seldom* caught anyone 
else.  (I did catch a tech doing automated pings once.)

When I created the new rule I simply kept the same threshold and tested it, 
and it worked.

I wasn't aware of all the work you guys had done in that area.

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-sigs mailing list