RE: [ActiveDir] Snort

[Robert Rutherford]

IDS isn’t going to protect you from these worms… let’s initially focus on that:-   I’m just going to ramble and we can then home in on a solution…   It’s hard to believe patched machines are being re-infected.. but it does happen. I suspect you have a rogue machine which isn’t managed in your domain environment and you aren’t aware of, i.e. a 98 machine, workgroup, user home laptop, etc.   It does sound like your Watchguard box isn’t really upto the job… especially as you are specifically blocking ports. It shouldn’t be processing blocked packets, thus shouldn’t be under that high stress, unless you are logging everything. I’m not a Watchguard expert so maybe it deals with packets differently. This is all an ‘if’ scenario. I guess we need to ascertain:-   What size is your network, i.e. Nodes? Which Watchguard model do you have? Lan switches? WAN Links.   (Send a reply to me direct if you don’t want to broadcast your details)   It depends on your environment, but if you are sizeable, i.e. over 200+ users then I would shoot for something like Checkpoint with the SmartDefense subscription. This will do deep inspection and cut out worms at the gateway, i.e. stopping them entering the ‘secured’ LAN. They are way ahead of the game compared to Cisco (…hearing Cisco fans smacking out angered replies).   BR   Rob   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: 01 December 2004 15:42 To: ActiveDir (E-mail) Subject: [ActiveDir] Snort   Anyone had good experiences with snort and can you recommend it as a IDS and intrusion prevention? I'm really getting hit hard with bots like W32.spybot.worm and W32.Randex.BTB. I get these worms even being fully patched and my Symantec defs are up to date. I'm looking for something cheap(read: free) to help me stop these things or at least contain them.   My managers are looking int Cisco Self defending networks solution but thats big $$ and might be a whole other mangement headache.   I was looking on some combination of our current AV(Symantec corporate 9.0) and GPO and snort as some sort of solution. These bots are really annoying because they seem to infect even patched and up to date systems and then they go out on ports 445 or 54321 or 6666 and even though our firewall(watchguard) blocks these ports, enough of these infected systems can DOS my firewall or bring network traffic to a crawl.   Any recommendations? thanks alot List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/   =======================================================================               Scanned for virus infection by Messagelabs =======================================================================