[Snort-users] Who doesn't care about virus rules, and why?

Jason Haar Jason.Haar at ...10172...
Thu Nov 6 08:45:14 EST 2003

Williams Jon said:

> The majority of worms that I've seen, with the notable exception of
> SQLSlammer, are TCP-based.  They also use a randomization technique to
> spread beyond their local subnet.  What this ends up meaning is that
> something like 90% of the time (in networks I monitor), the worm tries
> to connect to non-existant or unreachable IP addresses.  In these
> cases, if you're only looking for the worm-specific data within the
> session, your rules won't trigger - all that passes the sensor (if
> anything) is the TCP SYN packet and maybe a TCP RST.

So true. Here I managed to "merge" the projects of implementing IDS with
centralized logging and alerting - to the extent that we now have places
our firewall and router ACL block records get recorded to, and something
that triggers alerts based on them (the important bit). Being able to
trigger alerts when port 135 packets are blocked can give you *hours* of a
head start on finding and cleaning a BLASTER PC, before it gets around to
scaning a subnet that actually would work. Waiting on the IDS to show you
it actually infecting another machine isn't so pro-active.
Of course, False Positivies with the ACL alerts are a lot more of an
issue. e.g. we found that our Exchange admins set off the rule whenever
they were using the Message Tracking tool  - it causes Exchange to make
port 135 connections to every SMTP server a mail message routes through -

More information about the Snort-users mailing list