[Snort-users] DOS rules for Nimda
richarde at ...6992...
Thu Sep 26 09:29:01 EDT 2002
Getting back to the cisco rule option - not really going to work as it
will be difficult deploying to over 700 routers/sites. All these sites
are on one large Intranet connected via a single Internet connection and
at the Internet connection infront of the firewall is where I have
deployed a sensor. What I have done in the meantime is to scan for TCP
SYN's on port 80 hitting the firewall with destination addresses that
are in the internal 10.0.0.0/8 address space (not all space is used, so
some unknown destinations hit the firewall due to the default route).
This solution is not portable and 100% reliable - also requires my own
rules. See my other note to Martin for the real requirement/solution!
>>> "Madziarczyk, Jonathan" <than at ...3657...> 2002/09/26
>Even Better (assuming that you have Cisco):
If you use this, please make sure you have IOS ver 12.2(10a) or
There's a bug where it doesn't catch all packets if you have a "log"
statement in an ACL that is applied to the same interface.
Otherwise it works great!
More information about the Snort-users