[Snort-users] New Sasser Worm Signatures

Alan ids at ...8382...
Tue May 11 01:58:12 EDT 2004

Hi Everyone-

	I'm testing a Snort Sensor off of a cable modem running version 2.1.1 for
the past few weeks. I'm using IDS Policy Manager and using their
snortrules-current.zip, which I assume, is Snort.org's
snortrules-snapshot-CURRENT.tar.gz. I have the latest rules for the Sasser
worm and I've noticed I have not been hit once from it. Is this unusual?  I
figured after reading how fast the worm is spreading I would have at least
seen it hit the sensor a few times. Could it be that my ISP is filtering the
worm somehow? To be honest I don't even see a wide variety of attacks on my
sensor. The most common are Slammer, ShellCode NOOPS, WEB-IIS unicode
directory traversal attempts and Code Red. That's about it. I know the
sensor is functioning properly, if I hit it with the CIS scanner alerts go
off like crazy but because I'm using the sensor to collect data on attacks
it's kind of disappointing not to see a greater variety of attacks. Is there
something I might be doing wrong that might not allow my Snort not to pick
up certain attacks? Any feedback would be greatly appreciated.

Thanks in advance!


I'm doing a (free) operating system (just a hobby, won't be big and
professional like gnu) for 386(486) AT clones.

Linus (torvalds at ...11786...)
Date: 1991-08-25 23:12:08 PST

More information about the Snort-users mailing list