[unisog] Bleeding Snort rules

Michael Sconzo msconzo at net.tamu.edu
Thu Aug 26 18:12:07 GMT 2004


The snort.org rules for sasser, are better.  I can send them if you'd
like.  We currently have an active response NIDS here, that we wrote in
house (it's free).  It may save you some work.

http://netsquid.tamu.edu/

-=Mike

On Thu, Aug 26, 2004 at 01:43:29PM -0400, Anderson Johnston wrote:
> 
> We're putting together an active response NIDS based on Snort for our
> residential network.  An alert on any rule will trigger a block on a
> user's authentication until they contact us.  We're trying to isolate
> rules with a very low chance of false positives - mainly obvious
> indications of known virus/worm infection and/or clearly hostile activity
> from the user's system.
> 
> 
> Does anyone have experience with the virus/worm rules at
> http://www.bleedingsnort.com/bleeding.rules?  In particular, are the rules
> like:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE
> W32/Sasser.worm.a [NAI])"; content:"|BC 3B 74 0B 50 8B 3D E8 46 A7 3D 09
> 85 B8 F8 CD 76 40 DE 7C 5B 5C D7 2A A8 E8 58 75 62 96 25 24|";
> reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html;
> classtype:misc-activity; sid:2001057; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE
> W32/Sasser.worm.b [NAI])"; content:"|58 BC 0C FF 59 57 32 31 BD EC 34 64
> 6E D6 E3 8D 65 04 68 58 62 79 DF D8 2C 25 6A B5 28 BA 13 74|";
> reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html;
> classtype:misc-activity; sid:2001056; rev:1;)
> 
> 
> pretty reliable?
> 
> 
> 							Thanks,
> 							- Andy
> 
> ------------------------------------------------------------------------------
> ** Andy Johnston (andy at umbc.edu)          *                                 **
> ** IT Security                            * PGP key:(afj2002) 4096/8448B056 **
> ** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
> ** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
> ------------------------------------------------------------------------------
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

-- 
_
_ Michael J. Sconzo
_ Computing & Information Services, Texas A&M University

The New Testament offers the basis for modern computer coding theory,
in the form of an affirmation of the binary number system.
        But let your communication be Yea, yea; nay, nay: for
        whatsoever is more than these cometh of evil.
                -- Matthew 5:37



More information about the unisog mailing list