[Snort-users] New Sasser Worm Signatures

Sheahan, Paul Paul.Sheahan at ...2218...
Tue May 11 11:00:02 EDT 2004


Do you have your sensor inside your firewall? Assuming so, then your
firewall will block many attacks before they reach your sensor.

Example: Sasser scans for port 445, if your firewall blocks 445 (it
should!), then the sensor inside the firewall will not see anything.

Other things like slammer have died out quite a bit and won't be seen as
much as they used to. 

Paul Sheahan
Information Security Manager

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Alan
Sent: Tuesday, May 11, 2004 4:58 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] New Sasser Worm Signatures

Hi Everyone-

	I'm testing a Snort Sensor off of a cable modem running version
2.1.1 for
the past few weeks. I'm using IDS Policy Manager and using their
snortrules-current.zip, which I assume, is Snort.org's
snortrules-snapshot-CURRENT.tar.gz. I have the latest rules for the
worm and I've noticed I have not been hit once from it. Is this unusual?
figured after reading how fast the worm is spreading I would have at
seen it hit the sensor a few times. Could it be that my ISP is filtering
worm somehow? To be honest I don't even see a wide variety of attacks on
sensor. The most common are Slammer, ShellCode NOOPS, WEB-IIS unicode
directory traversal attempts and Code Red. That's about it. I know the
sensor is functioning properly, if I hit it with the CIS scanner alerts
off like crazy but because I'm using the sensor to collect data on
it's kind of disappointing not to see a greater variety of attacks. Is
something I might be doing wrong that might not allow my Snort not to
up certain attacks? Any feedback would be greatly appreciated.

Thanks in advance!


I'm doing a (free) operating system (just a hobby, won't be big and
professional like gnu) for 386(486) AT clones.

Linus (torvalds at ...11786...)
Date: 1991-08-25 23:12:08 PST

This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list