[Snort-users] Snort to detect Window worms & scanners etc.
lundman at ...11719...
Tue Apr 27 07:39:08 EDT 2004
(Hopefully this will be allowed through - not on the mailling list).
We have the situation here that we use a Solaris box and ipf/ipnat to let all on
the inside talk to the outside. We don't really need to protect ourselves from
incoming scans (except on the nat box itself) but rather that the troubles that
happen most frequently is that the Windows users (so far, 100% only Windows)
manage to infect themselves with whatever Worm, Trojans, Virus etc. These often
start scanning, or DDOSing the net.
I would like to find a tool that would mostly look for these patterns. Generally
it is quite easy to spot them (cycling IPs or mass packet storms) but something
automatic would be nice. If it would also pick out other questionable packets
that would be a bonus too.
Presumably it would need its DB regularly updated for whatever new flavour is
Is this something snort does? I read the FAQ and got the feeling it was
concentrating more on attacks, and scans?
I apologise for the noise..
Please CC: me if you reply.
Jorgen Lundman | <lundman at ...11719...>
Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell)
Japan | +81 (0)3 -3375-1767 (home)
More information about the Snort-users