June 26th, 2003, 10:21 PM
Snort Rule or ISS TRON for SoBig.E
Does anyone out there know where I can find SNORT rules or ISS RealSecure TRONS to sniff out Win32.SoBig.E ?
I have been digging around on Google and beating up ISS tech. support and we are comming up dry.
Pretty mind-bending...All the $$$ we spent on IDS and we can't find a way to use the IDS to help control a virus infection.
Thanks in Advance!
June 26th, 2003, 11:19 PM
It will only be active until July 13th...
Rather than creating a specific singature for SoBig why not just use the tools that are already there?
There are signatures available for netbios connections (establish, connect, reject), for SMB sweeps, port scans, email contents, etc.
That is at least how we have been catching the last few batches of worms (they all leave signs of netbios failures, assuming you don't have wide open permissions across your network, which I would hope you don't).
With a little creative filtering, at least in ISS, you should be able to cut down on the false positives...
EDIT: One other thing...using IDS to control a virus infection is NEVER going to be an effective solution. Always think of it this way, IDS only notifies you AFTER something has happened. Since the worms spread automatically as fast as possible, you will rarely be able to track down infected machines before they spread to other machines. The more effective solution is having AV installed on all desktops that can be automatically or remotely updated as well as AV filters on all incoming email, and blocking ports tcp/135, tcp/139, tcp/445, and udp/137, udp/138, udp/139, should keep the majority of your users safe from worms.
IDS can buy you alot, it is not an all-in-one wonder though..
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
June 27th, 2003, 01:54 AM
Having a scanner/filter installed on your mail servers is a very good thing, as well. We were able to set a block in just a few minutes against the majority of the SoBig.E items while we got the anti-virus updates out to our network workstations and servers. I can remove the block, now, or fine tune it to be more effective.
Odd how these variations on a theme get you to looking at network protection from different angles every time a new worm shows up.