Snort mailing list archives
Re: RE: New Sasser Worm Signatures
From: ids () san rr com
Date: Tue, 11 May 2004 12:50:35 -0700
Paul, No I don't have a firewall between Snort and the cable modem or inside the sensor. Thanks! Alan ----- Original Message ----- From: "Sheahan, Paul" <Paul.Sheahan () priceline com> Date: Tuesday, May 11, 2004 10:59 am Subject: RE: [Snort-users] New Sasser Worm Signatures
Alan, Do you have your sensor inside your firewall? Assuming so, then your firewall will block many attacks before they reach your sensor. Example: Sasser scans for port 445, if your firewall blocks 445 (it should!), then the sensor inside the firewall will not see anything. Other things like slammer have died out quite a bit and won't be seen as much as they used to. Paul Sheahan Information Security Manager Priceline.com -----Original Message----- From: snort-users-admin () lists sourceforge net [snort-users-admin () lists sourceforge net] On Behalf Of Alan Sent: Tuesday, May 11, 2004 4:58 AM To: snort-users () lists sourceforge net Subject: [Snort-users] New Sasser Worm Signatures Hi Everyone- I'm testing a Snort Sensor off of a cable modem running version 2.1.1 for the past few weeks. I'm using IDS Policy Manager and using their snortrules-current.zip, which I assume, is Snort.org's snortrules-snapshot-CURRENT.tar.gz. I have the latest rules for the Sasser worm and I've noticed I have not been hit once from it. Is this unusual?I figured after reading how fast the worm is spreading I would have at least seen it hit the sensor a few times. Could it be that my ISP is filteringthe worm somehow? To be honest I don't even see a wide variety of attacks on my sensor. The most common are Slammer, ShellCode NOOPS, WEB-IIS unicode directory traversal attempts and Code Red. That's about it. I know the sensor is functioning properly, if I hit it with the CIS scanner alertsgo off like crazy but because I'm using the sensor to collect data on attacks it's kind of disappointing not to see a greater variety of attacks. Is there something I might be doing wrong that might not allow my Snort not to pick up certain attacks? Any feedback would be greatly appreciated. Thanks in advance! Alan I'm doing a (free) operating system (just a hobby, won't be big and professional like gnu) for 386(486) AT clones. Linus (torvalds () kruuna helsinki fi) Date: 1991-08-25 23:12:08 PST ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From?dnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list×ort-users
------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New Sasser Worm Signatures Alan (May 11)
- <Possible follow-ups>
- RE: New Sasser Worm Signatures Sheahan, Paul (May 11)
- Re: RE: New Sasser Worm Signatures ids (May 11)
- Re: RE: Re: New Sasser Worm Signatures ids (May 11)