l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
December 2: Social gathering
Next Installfest:
TBD
Latest News:
Nov. 18: Club officer elections
Page last updated:
2002 Jul 12 10:42

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] IDS alert
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] IDS alert



On Thu, Jul 11, 2002 at 06:20:30PM -0700, Nick Donnelly wrote:
> Pete said I might try forwarding this along--does anyone else's 
> pacbell dsl identify itself like Pete's does (i.e. 
> *.dsl.scrm01.pacbell.net)?  Anyone have a guess as to why only Pete's 
> setup sets off snort?
[...]
> >Also,I guess I am wondering why only your pacbell DSL addy has 
> >".scr" in it--don't a lot of other people on the list use the same 
> >service?

> >alert tcp any 110 -> any any (msg:"Virus - Possible scr Worm"; 
> >content: ".scr"; nocase; sid:729;  classtype:misc-activity; rev:3;)

  I don't know anything about snort, but this appears to be looking for
any packet to port 110 (pop3) with the letters '.scr' in it.  This type
of rule is way too broad to be useful... any email with those letters
in it should trigger the problem.

  Every other pacbell DSL person I know appears to have the same 
naming of their hosts with .scr as part of the name.  I suspect you 
only see that problem from Pete's because he is doing mail from that 
his DSL machine directly.

  Without knowing anything else about it, my first impression is 
that particular snort rule is useless and should simply be removed 
from your ruleset.

    TTFN,
      Mike

ps: I'm interested in what other people think.
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.