IDS isn’t going to protect you from these worms… let’s
initially focus on that:- I’m just going to ramble and we can then home in on a solution… It’s hard to believe patched machines are being re-infected.. but
it does happen. I suspect you have a rogue machine which isn’t managed in
your domain environment and you aren’t aware of, i.e. a 98 machine,
workgroup, user home laptop, etc. It does sound like your Watchguard box isn’t really upto the job…
especially as you are specifically blocking ports. It shouldn’t be
processing blocked packets, thus shouldn’t be under that high stress,
unless you are logging everything. I’m not a Watchguard expert so maybe
it deals with packets differently. This is all an ‘if’ scenario. I
guess we need to ascertain:- What size is your network, i.e. Nodes? Which Watchguard model do you have? Lan switches? WAN Links. (Send a reply to me direct if you don’t want to broadcast your
details) It depends on your environment, but if you are sizeable, i.e. over 200+
users then I would shoot for something like Checkpoint with the SmartDefense subscription.
This will do deep inspection and cut out worms at the gateway, i.e. stopping
them entering the ‘secured’ LAN. They are way ahead of the game
compared to Cisco (…hearing Cisco fans smacking out angered replies). BR Rob -----Original Message----- Anyone had good experiences with snort and can you recommend it as a
IDS and intrusion prevention? I'm really getting hit hard with bots like W32.spybot.worm and
W32.Randex.BTB. I get these worms even being fully patched and my Symantec defs
are up to date. I'm looking for something cheap(read: free) to help me stop
these things or at least contain them. My managers are looking int Cisco Self defending networks solution but
thats big $$ and might be a whole other mangement headache. I was looking on some combination of our current AV(Symantec corporate
9.0) and GPO and snort as some sort of solution. These bots are really annoying because they seem to infect even patched
and up to date systems and then they go out on ports 445 or 54321 or 6666 and
even though our firewall(watchguard) blocks these ports, enough of these
infected systems can DOS my firewall or bring network traffic to a crawl. Any recommendations? thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ =======================================================================
Scanned for virus infection by Messagelabs ======================================================================= |
- RE: [ActiveDir] Snort Robert Rutherford
- RE: [ActiveDir] Snort Kern, Tom
- RE: [ActiveDir] Snort Robert Rutherford
- RE: [ActiveDir] Snort Kern, Tom
- RE: [ActiveDir] Snort Robert Rutherford
- RE: [ActiveDir] Snort travis.abrams
- RE: [ActiveDir] Snort Kern, Tom
- RE: [ActiveDir] Snort travis.abrams
- RE: [ActiveDir] Snort Kern, Tom
- RE: [ActiveDir] Snort Douglas M. Long