[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [ISSForum] signature regex



Hi,

You could add four Connection Events in your policy: 

1	source address: any, destination address: any, protocol: tcp, source service: any,  destination service: 9898 
2	source address: any, destination address: any, protocol: tcp, source service: 9898, destination service: any
3	source address: any, destination address: any, protocol: tcp, source service: any,  destination service: 5454 
4	source address: any, destination address: any, protocol: tcp, source service: 5454, destination service: any	

Response: log and display.

You have to check the event analysis because some events could be false positivies.

TCP_Network_Scan and TCP_service_sweep signatures are very helpful. Enable both.

Regards,

Carlos 


-----Original Message-----
From: issforum-bounces@xxxxxxx [mailto:issforum-bounces@xxxxxxx]On
Behalf Of Geldard Valle Meza
Sent: Wednesday, July 14, 2004 12:24 PM
To: issforum@xxxxxxx
Subject: RE: [ISSForum] signature regex


 

Hi all,
 
 I see this morning activity from several Public address try to scan many of
my firewalls using the source ports 9898 and 5454, I belived that this
activity is related to the DABBER worm,  I try to find this activity in my
Network Sensors but I don't see any signature reporting this, I only see
TCP_service_sweep alert. 

Somebody knows if ISS release  signatures to see this kind of trafic ?





Thanks,

Geldard Valle Meza
-----------------------------------------------------
 
CSIRT/cc
SOC-Scitum
gvalle@xxxxxxxxxxxxx
mobil.  21238975
 

_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.

_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.