Full Disclosure mailing list archives
RE: Snort on a Bootable FreeBSD CD to catch Nachi,Blaster & Sobig
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Fri, 5 Sep 2003 09:43:21 -0500
-----Original Message----- From: Justin Tan [mailto:justin.tan () extol com my] Sent: Thursday, September 04, 2003 8:09 AM To: full-disclosure () lists netsys com Subject: [Full-disclosure] Snort on a Bootable FreeBSD CD to catch Nachi,Blaster & Sobig On Thu, 2003-09-04 at 20:45, Paul Schmehl wrote:Just curious - what sigs are you using for detection?Nachi & Sobig.F - by you, Paul Schmehl(pauls () utdallas edu). Msblaster by Brian Caswell <bmc () sourcefire com> & Nigel Houghton <nigel.houghton () sourcefire com> (http://www.snort.org/snort-db/sid.html?sid=2192) Nachi and Sobig.F tested, works fine. Great job there. Only problem is with a possible false positive (Sobig.F sig) with Crystal Reports listening oo port 8998.
I've also seen a handful of hits when a host queries DNS and happens to do that on 8998/UDP. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Snort on a Bootable FreeBSD CD to catch Nachi,Blaster & Sobig Schmehl, Paul L (Sep 05)