[Snort-users] Snort to detect Window worms & scanners etc.

Jorgen Lundman lundman at ...11719...
Tue Apr 27 07:39:08 EDT 2004


(Hopefully this will be allowed through - not on the mailling list).

We have the situation here that we use a Solaris box and ipf/ipnat to let all on 
the inside talk to the outside. We don't really need to protect ourselves from 
incoming scans (except on the nat box itself) but rather that the troubles that 
happen most frequently is that the Windows users (so far, 100% only Windows) 
manage to infect themselves with whatever Worm, Trojans, Virus etc. These often 
start scanning, or DDOSing the net.

I would like to find a tool that would mostly look for these patterns. Generally 
it is quite easy to spot them (cycling IPs or mass packet storms) but something 
automatic would be nice. If it would also pick out other questionable packets 
that would be a bonus too.

Presumably it would need its DB regularly updated for whatever new flavour is 
out there.

Is this something snort does? I read the FAQ and got the feeling it was 
concentrating more on attacks, and scans?

I apologise for the noise..

Please CC: me if you reply.

Lund

-- 
Jorgen Lundman       | <lundman at ...11719...>
Unix Administrator   | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo    | +81 (0)90-5578-8500          (cell)
Japan                | +81 (0)3 -3375-1767          (home)




More information about the Snort-users mailing list