Full Disclosure mailing list archives

RE: Snort on a Bootable FreeBSD CD to catch Nachi,Blaster & Sobig

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Fri, 5 Sep 2003 09:43:21 -0500

-----Original Message-----
From: Justin Tan [mailto:justin.tan () extol com my] 
Sent: Thursday, September 04, 2003 8:09 AM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Snort on a Bootable FreeBSD CD to 
catch Nachi,Blaster & Sobig


On Thu, 2003-09-04 at 20:45, Paul Schmehl wrote:

Just curious - what sigs are you using for detection?


Nachi & Sobig.F - by you, Paul Schmehl(pauls () utdallas edu). 
Msblaster by Brian Caswell <bmc () sourcefire com> & Nigel 
Houghton <nigel.houghton () sourcefire com>
(http://www.snort.org/snort-db/sid.html?sid=2192)

Nachi and Sobig.F tested, works fine. Great job there. Only 
problem is with a possible false positive (Sobig.F sig) with 
Crystal Reports listening oo port 8998.


I've also seen a handful of hits when a host queries DNS and happens to
do that on 8998/UDP.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: Snort on a Bootable FreeBSD CD to catch Nachi,Blaster & Sobig Schmehl, Paul L (Sep 05)