[Snort-users] Who doesn't care about virus rules, and why?

Iain Hallam ccidsh at ...10480...
Thu Nov 6 06:33:23 EST 2003

Williams Jon wrote:
> What we've ended up doing is monitoring the default route path for
> our network and watching for either TCP SYNs that are going places
> they shouldn't or TCP RST packets generated either by the firewall or
> the odd host that is actually hit.  With thresholding, we can
> generate fairly useful alerts in cases where, in Blaster's case, one
> source address sends out TCP port 135 SYN packets to more than X
> number of hosts in Y period of time.  This is so reliable, in nearly
> every case we've used it on, that we are able to auto-generate email
> alerts that go to someone else to actually _deal_ with the problem
> rather than making the IDS staff track down and call each victim
> independantly.

We're doing something similar with ICMP on our network, but how can you 
tell the difference between large numbers of hosts and large numbers of 
packets to a single host? Would you mind posting one of your rules to 
illustrate the point?



More information about the Snort-users mailing list