[vox-tech] IDS alert
Paul
vox-tech@lists.lugod.org
Fri, 12 Jul 2002 03:40:51 -0700
greetings from adsl-209-233-98-66.dsl.scrm01.pacbell.net. I have a
static IP from pacbell DSL and that is the name that pacbell has
attached to it.
The scrm referres to sacramento. The other choices are snfc (san
francisco), lsan (los angeles), sndg (san diego).
msimons@moria.simons-clan.com wrote:
>On Thu, Jul 11, 2002 at 06:20:30PM -0700, Nick Donnelly wrote:
>
>
>>Pete said I might try forwarding this along--does anyone else's
>>pacbell dsl identify itself like Pete's does (i.e.
>>*.dsl.scrm01.pacbell.net)? Anyone have a guess as to why only Pete's
>>setup sets off snort?
>>
>>
>[...]
>
>
>>>Also,I guess I am wondering why only your pacbell DSL addy has
>>>".scr" in it--don't a lot of other people on the list use the same
>>>service?
>>>
>>>
>
>
>
>>>alert tcp any 110 -> any any (msg:"Virus - Possible scr Worm";
>>>content: ".scr"; nocase; sid:729; classtype:misc-activity; rev:3;)
>>>
>>>
>
> I don't know anything about snort, but this appears to be looking for
>any packet to port 110 (pop3) with the letters '.scr' in it. This type
>of rule is way too broad to be useful... any email with those letters
>in it should trigger the problem.
>
> Every other pacbell DSL person I know appears to have the same
>naming of their hosts with .scr as part of the name. I suspect you
>only see that problem from Pete's because he is doing mail from that
>his DSL machine directly.
>
> Without knowing anything else about it, my first impression is
>that particular snort rule is useless and should simply be removed
>from your ruleset.
>
> TTFN,
> Mike
>
>ps: I'm interested in what other people think.
>_______________________________________________
>vox-tech mailing list
>vox-tech@lists.lugod.org
>http://lists.lugod.org/mailman/listinfo/vox-tech
>
>