[Dshield] Sobig watch
jsage at finchhaven.com
Sat Aug 23 13:36:24 GMT 2003
On Fri, Aug 22, 2003 at 09:10:21PM -0700, John D. wrote:
> > I am not tracking any either.. Stood up a Snort-Box for just
> > this. If I get anything interesting Ill post on Monday...
> What Snort rules are you using? I've been looking for the latest
> rules for trapping when it tries to connect to one of the 20
For what Johannes is talking about (unless I misunderstood something
completely) a rule as simple as this should suffice:
alert udp $EXTERNAL_NET any -> $HOME_NET 995:999 \
(msg:"UDP inbound to 995:999";)
It's not always necessary to wait for an "official" rule of some sort;
in fact, in some cases you just have to write your own to perform a
"Warning: time of day goes back, taking countermeasures."
More information about the list