Hi, You could add four Connection Events in your policy:
1 source address: any, destination address: any, protocol: tcp, source service: any, destination service: 9898 2 source address: any, destination address: any, protocol: tcp, source service: 9898, destination service: any 3 source address: any, destination address: any, protocol: tcp, source service: any, destination service: 5454 4 source address: any, destination address: any, protocol: tcp, source service: 5454, destination service: any Response: log and display. You have to check the event analysis because some events could be false positivies. TCP_Network_Scan and TCP_service_sweep signatures are very helpful. Enable both. Regards, Carlos -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Geldard Valle Meza Sent: Wednesday, July 14, 2004 12:24 PM To: [EMAIL PROTECTED] Subject: RE: [ISSForum] signature regex Hi all, I see this morning activity from several Public address try to scan many of my firewalls using the source ports 9898 and 5454, I belived that this activity is related to the DABBER worm, I try to find this activity in my Network Sensors but I don't see any signature reporting this, I only see TCP_service_sweep alert. Somebody knows if ISS release signatures to see this kind of trafic ? Thanks, Geldard Valle Meza ----------------------------------------------------- CSIRT/cc SOC-Scitum [EMAIL PROTECTED] mobil. 21238975 _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
