[Snort-users] DOS rules for Nimda

Richard Ellerbrock richarde at ...6992...
Thu Sep 26 09:29:01 EDT 2002

Getting back to the cisco rule option - not really going to work as it
will be difficult deploying to over 700 routers/sites. All these sites
are on one large Intranet connected via a single Internet connection and
at the Internet connection infront of the firewall is where I have
deployed a sensor. What I have done in the meantime is to scan for TCP
SYN's on port 80 hitting the firewall with destination addresses that
are in the internal address space (not all space is used, so
some unknown destinations hit the firewall due to the default route).
This solution is not portable and 100% reliable - also requires my own
rules. See my other note to Martin for the real requirement/solution!

>>> "Madziarczyk, Jonathan" <than at ...3657...> 2002/09/26
05:22:53 >>>

>Even Better (assuming that you have Cisco):

If you use this, please make sure you have IOS ver 12.2(10a) or
There's a bug where it doesn't catch all packets if you have a "log"
statement in an ACL that is applied to the same interface.

Otherwise it works great!

My .02

More information about the Snort-users mailing list