[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Snort on a Bootable FreeBSD CD to catch Nachi,Blaster & Sobig

To: <justin.tan@xxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: RE: [Full-Disclosure] Snort on a Bootable FreeBSD CD to catch Nachi,Blaster & Sobig
From: "Schmehl, Paul L" <pauls@xxxxxxxxxxxx>
Date: Fri, 5 Sep 2003 09:43:21 -0500

> -----Original Message-----
> From: Justin Tan [mailto:justin.tan@xxxxxxxxxxxx] 
> Sent: Thursday, September 04, 2003 8:09 AM
> To: full-disclosure@xxxxxxxxxxxxxxxx
> Subject: [Full-Disclosure] Snort on a Bootable FreeBSD CD to 
> catch Nachi,Blaster & Sobig
> 
> 
> On Thu, 2003-09-04 at 20:45, Paul Schmehl wrote:
> >Just curious - what sigs are you using for detection?
> 
> Nachi & Sobig.F - by you, Paul Schmehl(pauls@xxxxxxxxxxxx). 
> Msblaster by Brian Caswell <bmc@xxxxxxxxxxxxxx> & Nigel 
> Houghton <nigel.houghton@xxxxxxxxxxxxxx>
> (http://www.snort.org/snort-db/sid.html?sid=2192)
> 
> Nachi and Sobig.F tested, works fine. Great job there. Only 
> problem is with a possible false positive (Sobig.F sig) with 
> Crystal Reports listening oo port 8998.

I've also seen a handful of hits when a host queries DNS and happens to
do that on 8998/UDP.

Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: [Full-Disclosure] Fwd: How to Steal a Mainframe
Next by Date: Re: [Full-Disclosure] 5 Microsoft Security Bulletin´s in one day ...
Previous by thread: Re: [Full-Disclosure] Fwd: How to Steal a Mainframe
Next by thread: [Full-Disclosure] OFF-TOPIC: Petition for a Software Patent Free Europe
Index(es):
- Date
- Thread