[Snort-sigs] Blaster Alert-False Negative?

lordchariot at ...817... lordchariot at ...817...
Thu Aug 14 09:59:19 EDT 2003


I, too, wanted to just count the probe attempts for this worm by
trapping any 135/137/445 attempt. I believe snort won't trigger and
alert unless it actually connects to something, that is why you are not
seeing any alerts. (flow:to_server,established)

I put the following in my experimental.rules and it seems to be working:

alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"NETBIOS Name Query
Probe (137/udp)"; classtype:attempted-recon; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"MS-RPC Probe
(135/tcp)"; classtype:attempted-recon; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"microsoft-ds Probe
(445/tcp)"; classtype:attempted-recon; )


This won't positively identify any specific worm or variant, just a
generic probe attempt at these ports. 

Give it a try. Good luck.
Erik
_________________________________________________ 
Erik Elsasser                  System Engineering 
CyberGuard Corporation           Northeast Region 


-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of
Bartholomew, Brian J
Sent: Wednesday, August 13, 2003 11:10 AM
To: 'snort-sigs at lists.sourceforge.net'
Subject: [Snort-sigs] Blaster Alert-False Negative?


Ladies and Gents,

	I have a request that has been given to me to detect and report
the
number of times we see this worm attempting to propagate to our systems.
I
have implemented the "official" signatures 2192 and 2193, but have yet
to
see it trigger.  Does this worm first try to get a response back on port
135
or 445 before attempting this exploit, or does it just flood the
Internet
with exploit attempts blindly?

	I have a feeling that I am missing something here.  I find it
hard
to believe that we have not seen one Blaster attempt since 0800 this
morning.  One thing that may be causing the non-alerts is the fact that
any
requests to our FW are dropped if on port 135 or 445, but the Snort
device
is outside the FW.  That why I was wondering if the "infected" machine
needed a response before continuing with this exploit.  Any help would
be
greatly appreciated.  Please reply to this address as I am not
subscribed to
the list.  I just occasionally peruse via the web interface.  

Brian J. Bartholomew
U.S. Dept of State, Bureau of Diplomatic Security
Computer Incident Response Team
(571)345-2654



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01
/01
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list