[Dshield] Sobig watch

John Sage jsage at finchhaven.com
Sat Aug 23 13:36:24 GMT 2003


On Fri, Aug 22, 2003 at 09:10:21PM -0700, John D. wrote:
> > I am not tracking any either.. Stood up a Snort-Box for just
> > this. If I get anything interesting Ill post on Monday...
> 
> What Snort rules are you using?   I've been looking for the latest
> rules for trapping when it tries to connect to one of the 20
> servers.

For what Johannes is talking about (unless I misunderstood something
completely) a rule as simple as this should suffice:

#
alert udp $EXTERNAL_NET any -> $HOME_NET 995:999 \
  (msg:"UDP inbound to 995:999";)
#

It's not always necessary to wait for an "official" rule of some sort;
in fact, in some cases you just have to write your own to perform a
specific task...


- John
-- 
"Warning: time of day goes back, taking countermeasures."




More information about the list mailing list