[unisog] Bleeding Snort rules

Anderson Johnston andy at umbc.edu
Thu Aug 26 18:41:00 GMT 2004


Thanks!  I've got the snort.org stuff.

BTW, our system is home-brew, as well.

					- Andy

On Thu, 26 Aug 2004, Michael Sconzo wrote:

> The snort.org rules for sasser, are better.  I can send them if you'd
> like.  We currently have an active response NIDS here, that we wrote in
> house (it's free).  It may save you some work.
>
> http://netsquid.tamu.edu/
>
> -=Mike
>
> On Thu, Aug 26, 2004 at 01:43:29PM -0400, Anderson Johnston wrote:
> >
> > We're putting together an active response NIDS based on Snort for our
> > residential network.  An alert on any rule will trigger a block on a
> > user's authentication until they contact us.  We're trying to isolate
> > rules with a very low chance of false positives - mainly obvious
> > indications of known virus/worm infection and/or clearly hostile activity
> > from the user's system.
> >
> >
> > Does anyone have experience with the virus/worm rules at
> > http://www.bleedingsnort.com/bleeding.rules?  In particular, are the rules
> > like:
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE
> > W32/Sasser.worm.a [NAI])"; content:"|BC 3B 74 0B 50 8B 3D E8 46 A7 3D 09
> > 85 B8 F8 CD 76 40 DE 7C 5B 5C D7 2A A8 E8 58 75 62 96 25 24|";
> > reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html;
> > classtype:misc-activity; sid:2001057; rev:1;)
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE
> > W32/Sasser.worm.b [NAI])"; content:"|58 BC 0C FF 59 57 32 31 BD EC 34 64
> > 6E D6 E3 8D 65 04 68 58 62 79 DF D8 2C 25 6A B5 28 BA 13 74|";
> > reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html;
> > classtype:misc-activity; sid:2001056; rev:1;)
> >
> >
> > pretty reliable?
> >
> >
> > 							Thanks,
> > 							- Andy
> >
> > ------------------------------------------------------------------------------
> > ** Andy Johnston (andy at umbc.edu)          *                                 **
> > ** IT Security                            * PGP key:(afj2002) 4096/8448B056 **
> > ** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
> > ** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
> > ------------------------------------------------------------------------------
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/unisog
>
> --
> _
> _ Michael J. Sconzo
> _ Computing & Information Services, Texas A&M University
>
> The New Testament offers the basis for modern computer coding theory,
> in the form of an affirmation of the binary number system.
>         But let your communication be Yea, yea; nay, nay: for
>         whatsoever is more than these cometh of evil.
>                 -- Matthew 5:37
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>

------------------------------------------------------------------------------
** Andy Johnston (andy at umbc.edu)          *                                 **
** IT Security                            * PGP key:(afj2002) 4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
------------------------------------------------------------------------------



More information about the unisog mailing list