[unisog] Bleeding Snort rules

Anderson Johnston andy at umbc.edu
Thu Aug 26 17:43:29 GMT 2004


We're putting together an active response NIDS based on Snort for our
residential network.  An alert on any rule will trigger a block on a
user's authentication until they contact us.  We're trying to isolate
rules with a very low chance of false positives - mainly obvious
indications of known virus/worm infection and/or clearly hostile activity
from the user's system.


Does anyone have experience with the virus/worm rules at
http://www.bleedingsnort.com/bleeding.rules?  In particular, are the rules
like:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE
W32/Sasser.worm.a [NAI])"; content:"|BC 3B 74 0B 50 8B 3D E8 46 A7 3D 09
85 B8 F8 CD 76 40 DE 7C 5B 5C D7 2A A8 E8 58 75 62 96 25 24|";
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html;
classtype:misc-activity; sid:2001057; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE
W32/Sasser.worm.b [NAI])"; content:"|58 BC 0C FF 59 57 32 31 BD EC 34 64
6E D6 E3 8D 65 04 68 58 62 79 DF D8 2C 25 6A B5 28 BA 13 74|";
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html;
classtype:misc-activity; sid:2001056; rev:1;)


pretty reliable?


							Thanks,
							- Andy

------------------------------------------------------------------------------
** Andy Johnston (andy at umbc.edu)          *                                 **
** IT Security                            * PGP key:(afj2002) 4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
------------------------------------------------------------------------------



More information about the unisog mailing list