[Snort-users] New Sasser Worm Signatures

ids at ...8382... ids at ...8382...
Tue May 11 12:51:11 EDT 2004


Paul,

No I don't have a firewall between Snort and the cable modem or inside the sensor. 


Thanks!


Alan

----- Original Message -----
From: "Sheahan, Paul" <Paul.Sheahan at ...2218...>
Date: Tuesday, May 11, 2004 10:59 am
Subject: RE: [Snort-users] New Sasser Worm Signatures

> Alan, 
> 
> Do you have your sensor inside your firewall? Assuming so, then your
> firewall will block many attacks before they reach your sensor.
> 
> Example: Sasser scans for port 445, if your firewall blocks 445 (it
> should!), then the sensor inside the firewall will not see anything.
> 
> Other things like slammer have died out quite a bit and won't be 
> seen as
> much as they used to. 
> 
> Paul Sheahan
> Information Security Manager
> Priceline.com
> 
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [snort-users-admin at lists.sourceforge.net] On Behalf Of Alan
> Sent: Tuesday, May 11, 2004 4:58 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] New Sasser Worm Signatures
> 
> Hi Everyone-
> 
> 	I'm testing a Snort Sensor off of a cable modem running version
> 2.1.1 for
> the past few weeks. I'm using IDS Policy Manager and using their
> snortrules-current.zip, which I assume, is Snort.org's
> snortrules-snapshot-CURRENT.tar.gz. I have the latest rules for the
> Sasser
> worm and I've noticed I have not been hit once from it. Is this 
> unusual?I
> figured after reading how fast the worm is spreading I would have at
> least
> seen it hit the sensor a few times. Could it be that my ISP is 
> filteringthe
> worm somehow? To be honest I don't even see a wide variety of 
> attacks on
> my
> sensor. The most common are Slammer, ShellCode NOOPS, WEB-IIS unicode
> directory traversal attempts and Code Red. That's about it. I know the
> sensor is functioning properly, if I hit it with the CIS scanner 
> alertsgo
> off like crazy but because I'm using the sensor to collect data on
> attacks
> it's kind of disappointing not to see a greater variety of 
> attacks. Is
> there
> something I might be doing wrong that might not allow my Snort not to
> pick
> up certain attacks? Any feedback would be greatly appreciated.
> 
> 
> 
> 
> Thanks in advance!
> 
> 
> Alan
> 
> I'm doing a (free) operating system (just a hobby, won't be big and
> professional like gnu) for 386(486) AT clones.
> 
> Linus (torvalds at ...11786...)
> Date: 1991-08-25 23:12:08 PST
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by Sleepycat Software
> Learn developer strategies Cisco, Motorola, Ericsson & Lucent use 
> to 
> deliver higher performing products faster, at low TCO.
> http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by Sleepycat Software
> Learn developer strategies Cisco, Motorola, Ericsson & Lucent use 
> to 
> deliver higher performing products faster, at low TCO.
> http://www.sleepycat.com/telcomwpreg.php?From?dnemail3
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list×ort-users
>





More information about the Snort-users mailing list