I have Snort deployed in 28 offices, logging to a MS SQL server and we
view alerts using BASE. I have a lot of custom virus signatures and
would be willing to share of you want them. It works good to quickly
identify who is spreading the worms.
As far a fully patched machines getting infected check your passwords on
those machines. One of the "features" of Randex is "Attempts to log on
as an administrator to a random IP address that is protected by weak
passwords. If successful, the worm will then copy itself to the remote
computer and execute itself."
Also Symantec has a problem disassembling some of these viruses and that
can cause them to take longer to release defs. I keep a copy of Kapersky
just so I can get a second opinion when I find suspicious files.
Holland + Knight
Travis Abrams MCSE, GCIH
Systems Engineer
Holland & Knight LLP
NOTICE: This e-mail is from a law firm, Holland & Knight LLP ("H&K"),
and is intended solely for the use of the individual(s) to whom it is
addressed. If you believe you received this e-mail in error, please
notify the sender immediately, delete the e-mail from your computer and
do not copy or disclose it to anyone else. If you are not an existing
client of H&K, do not construe anything in this e-mail to make you a
client unless it contains a specific statement to that effect and do not
disclose anything to H&K in reply that you expect it to hold in
confidence. If you properly received this e-mail as a client,
co-counsel or retained expert of H&K, you should maintain its contents
in confidence in order to preserve the attorney-client or work product
privilege that may be available to protect confidentiality.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, December 01, 2004 10:42 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Snort
Anyone had good experiences with snort and can you recommend it as a IDS
and intrusion prevention?
I'm really getting hit hard with bots like W32.spybot.worm and
W32.Randex.BTB. I get these worms even being fully patched and my
Symantec defs are up to date. I'm looking for something cheap(read:
free) to help me stop these things or at least contain them.
My managers are looking int Cisco Self defending networks solution but
thats big $$ and might be a whole other mangement headache.
I was looking on some combination of our current AV(Symantec corporate
9.0) and GPO and snort as some sort of solution.
These bots are really annoying because they seem to infect even patched
and up to date systems and then they go out on ports 445 or 54321 or
6666 and even though our firewall(watchguard) blocks these ports, enough
of these infected systems can DOS my firewall or bring network traffic
to a crawl.
Any recommendations?
thanks alot
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
