[Snort-users] Re: RE: Re: New Sasser Worm Signatures

ids at ...8382... ids at ...8382...
Tue May 11 12:48:03 EDT 2004


Your explaination makes total sense. Since the only thing off of the cable modem is the sensor itself I noticed that the only alerts I'm generating are services that I'm advertising (http, sql...etc). Since Sasser is a Windows vunerablilty and I don't have a Windows computer off of the modem , could that be possibly why I havn't seen an alert? Will Snort only generate alerts if it identifies an attack AND a there is a service runnning on a computer on the netwrok it is sensing on?  

Also you mentioned that I could create a rule where I could possibly capture all alerts. Could you elaborate on this?  



----- Original Message -----
From: Kevin Binsfield <kbinsfield at ...11788...>
Date: Tuesday, May 11, 2004 12:17 pm
Subject: RE: Re: New Sasser Worm Signatures

> Just checked an edge sensor at a small NOC, no firewall, mostly 
> *IX rail
> for all NMAP Ping alerts as this seems to be a good indicator of 
> SASSER.For last 2 months there are No hits at all until 4-29. Then 
> starting up
> again on 5-3 increased every day to 90+ then it's been slacking 
> off snce
> then. Currently about 30+/day.
> -----Original Message-----
> From: Kevin Binsfield [kbinsfield at ...11788...] 
> Sent: Tuesday, May 11, 2004 2:57 PM
> To: 'ids at ...8382...'
> Subject: Re: New Sasser Worm Signatures
> Wise words of Allan  (Paller?)
> (I'm digest mode so can't see your headers,etc but anyway)
> >>
> Message: 3
> From: "Alan" <ids at ...8382...>
> To: <snort-users at lists.sourceforge.net>
> Date: Tue, 11 May 2004 01:57:30 -0700
> Subject: [Snort-users] New Sasser Worm Signatures
> Hi Everyone-
> 	I'm testing a Snort Sensor off of a cable modem running version
> 2.1.1 for the past few weeks. I'm using IDS Policy Manager and using
> their snortrules-current.zip, which I assume, is Snort.org's
> snortrules-snapshot-CURRENT.tar.gz. I have the latest rules for the
> Sasser worm and I've noticed I have not been hit once from it. Is this
> unusual?  I figured after reading how fast the worm is spreading I 
> wouldhave at least seen it hit the sensor a few times. Could it be 
> that my
> ISP is filtering the worm somehow? To be honest I don't even see a 
> widevariety of attacks on my sensor. The most common are Slammer, 
> ShellCodeNOOPS, WEB-IIS unicode directory traversal attempts and 
> Code Red. That's
> about it. I know the sensor is functioning properly, if I hit it with
> the CIS scanner alerts go off like crazy but because I'm using the
> sensor to collect data on attacks it's kind of disappointing not 
> to see
> a greater variety of attacks. Is there something I might be doing 
> wrongthat might not allow my Snort not to pick up certain attacks? Any
> feedback would be greatly appreciated.
> <snip>

More information about the Snort-users mailing list