From: Heinrich vanRiel (heinrich.vanrielus.didata.com)
Date: Sun Feb 01 2004 - 10:14:00 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings,
 
Since sco is down at this point, I want to add a rule at this point to
do payload scanning for every single occurrence of www.sco.com
<http://www.sco.com/> .
 
I have added my rules, any host to any port content set to www.sco.com
<http://www.sco.com/> and nocase, for IP TCP and UDP.
 
My concern is that if I do a nslookup on www.sco.com
<http://www.sco.com/> from a device (not the DNS server) my IDS sensors
does not alert me that www.sco.com <http://www.sco.com/> traveled the
network,
however if I do a tcpdump I can see at least 2 packets containing
www.sco.com <http://www.sco.com/> . (I stop snort and do the tcpdump
from the sensor)
 
I just want to make sure no infected desktop is overlooked, since I find
it a bit hard to believe that out of 600+ desktops I have not seen any
attempts to reach SCO.
 
 
Output of tcpdump:
 
11:08:56.231023 dns.mydomain.local > desktop.mydomain.local.2612: 16
1/0/0 A www.sco.com (45)
11:08:56.231030 dns.mydomain.local > desktop.mydomain.local.2612: 16
1/0/0 A www.sco.com (45)
 
Sensor info:
 
FreeBSD 4.9 Stable
Snort 2.0.5
Dell PowerEdge 6400 Xeon
 
Thanks
 
HvR

-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]