Re: RE: New Sasser Worm Signatures

[ids () san rr com]

Paul,

No I don't have a firewall between Snort and the cable modem or inside the sensor. 


Thanks!


Alan

----- Original Message -----
From: "Sheahan, Paul" <Paul.Sheahan () priceline com>
Date: Tuesday, May 11, 2004 10:59 am
Subject: RE: [Snort-users] New Sasser Worm Signatures

> Alan, 
>
> Do you have your sensor inside your firewall? Assuming so, then your
> firewall will block many attacks before they reach your sensor.
>
> Example: Sasser scans for port 445, if your firewall blocks 445 (it
> should!), then the sensor inside the firewall will not see anything.
>
> Other things like slammer have died out quite a bit and won't be 
> seen as
> much as they used to. 
>
> Paul Sheahan
> Information Security Manager
> Priceline.com
>
>
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [snort-users-admin () lists sourceforge net] On Behalf Of Alan
> Sent: Tuesday, May 11, 2004 4:58 AM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] New Sasser Worm Signatures
>
> Hi Everyone-
>
>       I'm testing a Snort Sensor off of a cable modem running version
> 2.1.1 for
> the past few weeks. I'm using IDS Policy Manager and using their
> snortrules-current.zip, which I assume, is Snort.org's
> snortrules-snapshot-CURRENT.tar.gz. I have the latest rules for the
> Sasser
> worm and I've noticed I have not been hit once from it. Is this 
> unusual?I
> figured after reading how fast the worm is spreading I would have at
> least
> seen it hit the sensor a few times. Could it be that my ISP is 
> filteringthe
> worm somehow? To be honest I don't even see a wide variety of 
> attacks on
> my
> sensor. The most common are Slammer, ShellCode NOOPS, WEB-IIS unicode
> directory traversal attempts and Code Red. That's about it. I know the
> sensor is functioning properly, if I hit it with the CIS scanner 
> alertsgo
> off like crazy but because I'm using the sensor to collect data on
> attacks
> it's kind of disappointing not to see a greater variety of 
> attacks. Is
> there
> something I might be doing wrong that might not allow my Snort not to
> pick
> up certain attacks? Any feedback would be greatly appreciated.
>
>
>
>
> Thanks in advance!
>
>
> Alan
>
> I'm doing a (free) operating system (just a hobby, won't be big and
> professional like gnu) for 386(486) AT clones.
>
> Linus (torvalds () kruuna helsinki fi)
> Date: 1991-08-25 23:12:08 PST
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by Sleepycat Software
> Learn developer strategies Cisco, Motorola, Ericsson & Lucent use 
> to 
> deliver higher performing products faster, at low TCO.
> http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by Sleepycat Software
> Learn developer strategies Cisco, Motorola, Ericsson & Lucent use 
> to 
> deliver higher performing products faster, at low TCO.
> http://www.sleepycat.com/telcomwpreg.php?From?dnemail3
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list×ort-users



-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users