[Snort-sigs] Blaster Alert-False Negative?

Bartholomew, Brian J BartholomewBJ at ...1764...
Thu Aug 14 07:26:48 EDT 2003

Ladies and Gents,

	I have a request that has been given to me to detect and report the
number of times we see this worm attempting to propagate to our systems.  I
have implemented the "official" signatures 2192 and 2193, but have yet to
see it trigger.  Does this worm first try to get a response back on port 135
or 445 before attempting this exploit, or does it just flood the Internet
with exploit attempts blindly?

	I have a feeling that I am missing something here.  I find it hard
to believe that we have not seen one Blaster attempt since 0800 this
morning.  One thing that may be causing the non-alerts is the fact that any
requests to our FW are dropped if on port 135 or 445, but the Snort device
is outside the FW.  That why I was wondering if the "infected" machine
needed a response before continuing with this exploit.  Any help would be
greatly appreciated.  Please reply to this address as I am not subscribed to
the list.  I just occasionally peruse via the web interface.  

Brian J. Bartholomew
U.S. Dept of State, Bureau of Diplomatic Security
Computer Incident Response Team

More information about the Snort-sigs mailing list