[Snort-users] DOS rules for Nimda

McCammon, Keith Keith.McCammon at ...3497...
Thu Sep 26 07:26:03 EDT 2002

First things first, forget intrusion detection.  Implement some good ACL's at the border, and prevent the web servers from initiating any outside connections:  

access-list 110 permit tcp host x.x.x.x eq 80 any established
access-list 110 permit tcp host x.x.x.x eq 443 any established

Apply this inbound on the segment Ethernet interface (assuming Cisco here).  Legitimate traffic will not be affected, as those connections will be established when the interface sees them inbound (this is actually outbound traffic, but is not filtered as such until it reaches a serial interface).  This will do three things:

1) It will stop the worm from propagating,  
2) It will free up your router's resources, and
3) Keep the outgoing flood off of your Internet pipe

Once you've done that, then you can set up a simple Snort sensor on a monitoring port (likely monitoring the uplink from your core switch to your router's Ethernet interface).  All you need to do is download and compile Snort, test according to the USAGE guidelines, set your home net, and let 'er rip.  The snort.conf defaults should be just fine for catching and logging these systems, and no configuration of stream4 should no necessary in this instance.



> -----Original Message-----
> From: Richard Ellerbrock [mailto:richarde at ...6992...]
> Sent: Thursday, September 26, 2002 7:12 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] DOS rules for Nimda
> I am trying to help a very large site that is being killed by 
> denial of
> service due to a large number of MS type workstations 
> infected by Nimda.
> The standard snort rules are no good as no connection is 
> actually made,
> just a HUGE SYN flood looking for open Web servers to infect. Traffic
> looks like this:
> Each host sends 2x SYN packets exactly the same (same source port, SEQ
> and WIN size) to a remote host on port 80. Obviously never 
> gets a reply.
> Within a couple of milliseconds, tries another randon destination.
> Now my understanding of snort points to the stream4 processor to catch
> this stuff, but how to configure. The docs are a little 
> unclear to this
> snort newbie. I do get TTL evasion on stream4, but this does not
> indicate much.
> Any help with rules/setup for this would be great.
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list