[vox-tech] IDS alert
vox-tech@lists.lugod.org
vox-tech@lists.lugod.org
Thu, 11 Jul 2002 21:40:41 -0400
On Thu, Jul 11, 2002 at 06:20:30PM -0700, Nick Donnelly wrote:
> Pete said I might try forwarding this along--does anyone else's
> pacbell dsl identify itself like Pete's does (i.e.
> *.dsl.scrm01.pacbell.net)? Anyone have a guess as to why only Pete's
> setup sets off snort?
[...]
> >Also,I guess I am wondering why only your pacbell DSL addy has
> >".scr" in it--don't a lot of other people on the list use the same
> >service?
> >alert tcp any 110 -> any any (msg:"Virus - Possible scr Worm";
> >content: ".scr"; nocase; sid:729; classtype:misc-activity; rev:3;)
I don't know anything about snort, but this appears to be looking for
any packet to port 110 (pop3) with the letters '.scr' in it. This type
of rule is way too broad to be useful... any email with those letters
in it should trigger the problem.
Every other pacbell DSL person I know appears to have the same
naming of their hosts with .scr as part of the name. I suspect you
only see that problem from Pete's because he is doing mail from that
his DSL machine directly.
Without knowing anything else about it, my first impression is
that particular snort rule is useless and should simply be removed
from your ruleset.
TTFN,
Mike
ps: I'm interested in what other people think.