[Snort-users] Who doesn't care about virus rules, and why?
ccidsh at ...10480...
Thu Nov 6 06:33:23 EST 2003
Williams Jon wrote:
> What we've ended up doing is monitoring the default route path for
> our network and watching for either TCP SYNs that are going places
> they shouldn't or TCP RST packets generated either by the firewall or
> the odd host that is actually hit. With thresholding, we can
> generate fairly useful alerts in cases where, in Blaster's case, one
> source address sends out TCP port 135 SYN packets to more than X
> number of hosts in Y period of time. This is so reliable, in nearly
> every case we've used it on, that we are able to auto-generate email
> alerts that go to someone else to actually _deal_ with the problem
> rather than making the IDS staff track down and call each victim
We're doing something similar with ICMP on our network, but how can you
tell the difference between large numbers of hosts and large numbers of
packets to a single host? Would you mind posting one of your rules to
illustrate the point?
More information about the Snort-users