About dslocombe

dslocombe · 11-30-2008

We have an IPS 4235 system with IPS-K9-5.1-8-E3 Engine and sig file IPS-sig-s368-reg-E3 in fron of our Firewall. We also (unfortunately) have the w32.conficker worm which is causing a DDOS and flooding the network with TCP 445 traffic. We are trying ...

dslocombe · 12-02-2008

We've tried all the deny options, how'ever we think the problem is that the W32Conficker worm / virus signature does not seem to be included in S368, as a result the IDS just picks up the TCP timeout and not the worm.

dslocombe · 12-02-2008

this didn't give us any denied attackers (see below);NWWIDS1# sh stat denied-attackersDenied Attackers and hit count for each.Statistics for Virtual Sensor vs0 Denied Attackers with percent denied and hit count for each.NWWIDS1#

dslocombe · 12-02-2008

Yes we have "Deny Attacker In Line", "Deny Attacker Service Pair InLine", "Deny Attacker Victim Pair Inline", "Deny Connection InLine", Deny Packet InLine", but we are still seeing 445 worm tarffic on the outside interface......

dslocombe · 12-01-2008

Thanks Jon,The IPS is configured in line - and yes it does detect on Sig. 1302. We are not sure how we could customise a signature as we do not understand the attack attribute (apart from port 445 to random IP addresses). WE have tried setting the si...

Member Since	‎12-18-2002 07:57 AM
Date Last Visited	‎08-18-2017 03:50 AM
Posts	5

User Statistics

User Activity

w32.conficker.worm - detection and blocking with a IPS 4235

Re: w32.conficker.worm - detection and blocking with a IPS 4235

Re: w32.conficker.worm - detection and blocking with a IPS 4235

Re: w32.conficker.worm - detection and blocking with a IPS 4235

Re: w32.conficker.worm - detection and blocking with a IPS 4235