> -----Original Message----- > From: Justin Tan [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 04, 2003 8:09 AM > To: [EMAIL PROTECTED] > Subject: [Full-Disclosure] Snort on a Bootable FreeBSD CD to > catch Nachi,Blaster & Sobig > > > On Thu, 2003-09-04 at 20:45, Paul Schmehl wrote: > >Just curious - what sigs are you using for detection? > > Nachi & Sobig.F - by you, Paul Schmehl([EMAIL PROTECTED]). > Msblaster by Brian Caswell <[EMAIL PROTECTED]> & Nigel > Houghton <[EMAIL PROTECTED]> > (http://www.snort.org/snort-db/sid.html?sid=2192) > > Nachi and Sobig.F tested, works fine. Great job there. Only > problem is with a possible false positive (Sobig.F sig) with > Crystal Reports listening oo port 8998.
I've also seen a handful of hits when a host queries DNS and happens to do that on 8998/UDP. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
