[Snort-sigs] Blaster Alert-False Negative?

Michael Scheidell scheidell at ...249...
Thu Aug 14 09:59:03 EDT 2003


> requests to our FW are dropped if on port 135 or 445, but the Snort device
> is outside the FW.  That why I was wondering if the "infected" machine
> needed a response before continuing with this exploit.  Any help would be
> greatly appreciated.  Please reply to this address as I am not subscribed to
> the list.  I just occasionally peruse via the web interface.  

In a TCPIP connection, there would need to be the three way handshake
prior to the first byte being sent.

Port 445 could indicate the msblaster, or any number of SMB CIFS attacks.

I would say that any +SYN connections to TCP port 135 or attempts to scan
port TCP port 135 would indicate a worm attempt (you could check the
source ip against a distributed database like dshield or mynetwatchman to
make sure) but I suspect that by the time it got to you, that source ip
would have already attempted and been logged at several other places.

-- 
Michael Scheidell, CEO
SECNAP Network Security, LLC 
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net
Looking for a career in Internet security?
http://www.secnap.net/employment/




More information about the Snort-sigs mailing list