[Snort-sigs] Blaster Alert-False Negative?
Bartholomew, Brian J
BartholomewBJ at ...1764...
Thu Aug 14 07:26:48 EDT 2003
Ladies and Gents,
I have a request that has been given to me to detect and report the
number of times we see this worm attempting to propagate to our systems. I
have implemented the "official" signatures 2192 and 2193, but have yet to
see it trigger. Does this worm first try to get a response back on port 135
or 445 before attempting this exploit, or does it just flood the Internet
with exploit attempts blindly?
I have a feeling that I am missing something here. I find it hard
to believe that we have not seen one Blaster attempt since 0800 this
morning. One thing that may be causing the non-alerts is the fact that any
requests to our FW are dropped if on port 135 or 445, but the Snort device
is outside the FW. That why I was wondering if the "infected" machine
needed a response before continuing with this exploit. Any help would be
greatly appreciated. Please reply to this address as I am not subscribed to
the list. I just occasionally peruse via the web interface.
Brian J. Bartholomew
U.S. Dept of State, Bureau of Diplomatic Security
Computer Incident Response Team
More information about the Snort-sigs