[Snort-sigs] Blaster Alert-False Negative?

lordchariot at ...817... lordchariot at ...817...
Thu Aug 14 09:59:19 EDT 2003

I, too, wanted to just count the probe attempts for this worm by
trapping any 135/137/445 attempt. I believe snort won't trigger and
alert unless it actually connects to something, that is why you are not
seeing any alerts. (flow:to_server,established)

I put the following in my experimental.rules and it seems to be working:

alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"NETBIOS Name Query
Probe (137/udp)"; classtype:attempted-recon; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"MS-RPC Probe
(135/tcp)"; classtype:attempted-recon; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"microsoft-ds Probe
(445/tcp)"; classtype:attempted-recon; )

This won't positively identify any specific worm or variant, just a
generic probe attempt at these ports. 

Give it a try. Good luck.
Erik Elsasser                  System Engineering 
CyberGuard Corporation           Northeast Region 

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of
Bartholomew, Brian J
Sent: Wednesday, August 13, 2003 11:10 AM
To: 'snort-sigs at lists.sourceforge.net'
Subject: [Snort-sigs] Blaster Alert-False Negative?

Ladies and Gents,

	I have a request that has been given to me to detect and report
number of times we see this worm attempting to propagate to our systems.
have implemented the "official" signatures 2192 and 2193, but have yet
see it trigger.  Does this worm first try to get a response back on port
or 445 before attempting this exploit, or does it just flood the
with exploit attempts blindly?

	I have a feeling that I am missing something here.  I find it
to believe that we have not seen one Blaster attempt since 0800 this
morning.  One thing that may be causing the non-alerts is the fact that
requests to our FW are dropped if on port 135 or 445, but the Snort
is outside the FW.  That why I was wondering if the "infected" machine
needed a response before continuing with this exploit.  Any help would
greatly appreciated.  Please reply to this address as I am not
subscribed to
the list.  I just occasionally peruse via the web interface.  

Brian J. Bartholomew
U.S. Dept of State, Bureau of Diplomatic Security
Computer Incident Response Team

This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list