[Snort-sigs] Blaster Alert-False Negative?

James Riden j.riden at ...1766...
Thu Aug 14 07:38:29 EDT 2003


"Bartholomew, Brian J" <BartholomewBJ at ...1764...> writes:

> Ladies and Gents,
>
> 	I have a request that has been given to me to detect and report the
> number of times we see this worm attempting to propagate to our systems.  I
> have implemented the "official" signatures 2192 and 2193, but have yet to
> see it trigger.  Does this worm first try to get a response back on port 135
> or 445 before attempting this exploit, or does it just flood the Internet
> with exploit attempts blindly?

I think it will try to complete the TCP handshake - ie. if 135 isn't
open it won't send the exploit code.

I'm not seeing any activity from these rules either and am currently
tracking the problem by looking at portscan.log for hosts which are
sweeping through the address space on port 135. If you see a SYN to
port 4444 during the scan I think that means that the host has been
exploited successfully. The connections to port 69 don't get picked up
by this method because they are going from the infected machine back
to the attacker.

cheers,
 Jamie
-- 
James Riden / j.riden at ...1766... / Systems Programmer - Security
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/
Tel: +64 6 3569099 ext. 7402





More information about the Snort-sigs mailing list