[Snort-users] DOS rules for Nimda

Tudor Panaitescu tpanaitescu at ...2032...
Thu Sep 26 07:39:03 EDT 2002





Even Better (assuming that you have Cisco):

http://www.cisco.com/warp/public/63/nimda.shtml

Enjoy,
T
|-------+------------------------------------------------------|
|       |                                                      |
|-------+------------------------------------------------------|
|   To: |   "Richard Ellerbrock" <richarde at ...6992...>,       |
|       |   snort-users at lists.sourceforge.net                  |
|-------+------------------------------------------------------|
|   cc: |   (bcc: Tudor Panaitescu/ColorconUS)                 |
|-------+------------------------------------------------------|
|       |                                                      |
|-------+------------------------------------------------------|
|   Subj|   RE: [Snort-users] DOS rules for Nimda              |
|   ect:|                                                      |
|       |                                                      |
|-------+------------------------------------------------------|










[IMAGE]
First things first, forget intrusion detection. 
-------------- next part --------------

?Implement some good ACL's at
the border, and prevent the web servers from initiating any outside connections:

access-list 110 permit tcp host x.x.x.x eq 80 any established
access-list 110 permit tcp host x.x.x.x eq 443 any established

Apply this inbound on the segment Ethernet interface (assuming Cisco here).
Legitimate traffic will not be affected, as those connections will be
established when the interface sees them inbound (this is actually outbound
traffic, but is not filtered as such until it reaches a serial interface). ?This
will do three things:

1) It will stop the worm from propagating,
2) It will free up your router's resources, and
3) Keep the outgoing flood off of your Internet pipe

Once you've done that, then you can set up a simple Snort sensor on a monitoring
port (likely monitoring the uplink from your core switch to your router's
Ethernet interface). ?All you need to do is download and compile Snort, test
according to the USAGE guidelines, set your home net, and let 'er rip. ?The
snort.conf defaults should be just fine for catching and logging these systems,
and no configuration of stream4 should no necessary in this instance.

Cheers

Keith



> -----Original Message-----
> From: Richard Ellerbrock [mailto:richarde at ...6992...]
> Sent: Thursday, September 26, 2002 7:12 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] DOS rules for Nimda
>
>
> I am trying to help a very large site that is being killed by
> denial of
> service due to a large number of MS type workstations
> infected by Nimda.
> The standard snort rules are no good as no connection is
> actually made,
> just a HUGE SYN flood looking for open Web servers to infect. Traffic
> looks like this:
>
> Each host sends 2x SYN packets exactly the same (same source port, SEQ
> and WIN size) to a remote host on port 80. Obviously never
> gets a reply.
> Within a couple of milliseconds, tries another randon destination.
>
> Now my understanding of snort points to the stream4 processor to catch
> this stuff, but how to configure. The docs are a little
> unclear to this
> snort newbie. I do get TTL evasion on stream4, but this does not
> indicate much.
>
> Any help with rules/setup for this would be great.
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?listsnort-users

(Embedded image moved to file: pic27117.pcx)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic27117.pcx
Type: application/octet-stream
Size: 2575 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020926/ee0f0278/attachment.obj>


More information about the Snort-users mailing list