[Snort-users] DOS rules for Nimda

Richard Ellerbrock richarde at ...6992...
Thu Sep 26 09:29:01 EDT 2002


Getting back to the cisco rule option - not really going to work as it
will be difficult deploying to over 700 routers/sites. All these sites
are on one large Intranet connected via a single Internet connection and
at the Internet connection infront of the firewall is where I have
deployed a sensor. What I have done in the meantime is to scan for TCP
SYN's on port 80 hitting the firewall with destination addresses that
are in the internal 10.0.0.0/8 address space (not all space is used, so
some unknown destinations hit the firewall due to the default route).
This solution is not portable and 100% reliable - also requires my own
rules. See my other note to Martin for the real requirement/solution!

>>> "Madziarczyk, Jonathan" <than at ...3657...> 2002/09/26
05:22:53 >>>


>Even Better (assuming that you have Cisco):
>
>http://www.cisco.com/warp/public/63/nimda.shtml 

If you use this, please make sure you have IOS ver 12.2(10a) or
higher.
There's a bug where it doesn't catch all packets if you have a "log"
statement in an ACL that is applied to the same interface.

Otherwise it works great!

My .02
~than




More information about the Snort-users mailing list