(long, slightly OT) Re: [Snort-sigs] Blaster Alert-False Negative?

JP Vossen vossenjp at ...1431...
Fri Aug 15 14:04:15 EDT 2003


> From: "Bartholomew, Brian J" <BartholomewBJ at ...1764...>
> To: "'snort-sigs at lists.sourceforge.net'"
> Date: Wed, 13 Aug 2003 11:10:21 -0400
> Subject: [Snort-sigs] Blaster Alert-False Negative?
>
> 	I have a request that has been given to me to detect and report the
> number of times we see this worm attempting to propagate to our systems.  I
> have implemented the "official" signatures 2192 and 2193, but have yet to
> see it trigger.  Does this worm first try to get a response back on port 135
> or 445 before attempting this exploit, or does it just flood the Internet
> with exploit attempts blindly?

Other posters have answers the Snort rules and 3-way handshake issues very
well.  But here is another thought.  First how accurate do you need to be?
I've been monitoring this via my honeypot (which is a 486 on an iDSL line, so
we're not talking lots of resources here).  I'm tracking hits to tcp dst port
135, then dividing by 2.  My honeypot DOES answer on 135/TCP, but it does not
answer with a true MS RPC/EPMapper, so I tend to see a SYN come in, and then I
send out an ACK,RST.  So for my purposes, 2 packets with 135/TCP = 1 "attack."
But 1 incoming packet = 1 attack more or less, so far.

So why not just stick a machine outside the firewall running tcpdump?
Needless to say, use a hardened box, but tcpdump runs on UNIX or Windows
(well, Windump).  As I started typing this message, I fired it up on my
honeypot.  In the time it took to write this message, I got this [0].

The advantage to using tcpdump is that it's simple, and there is almost no
configuration, rules, tweaking, etc.  The disadvantage is that it's less
accurate.  However, for my honeypot I've had next to zero 135/TCP traffic
UNTIL DCOM/Blaster, so if you can live with a +- 3 packets a day error...
Here are my month-to-date stats [1].  But last month was next to nothing
excpet for a burst on the 20th or so.

Basically, do something like this:
	tcpdump -vn tcp dst port 135 > Blaster.log

Then, 'wc -l Blaster.log' every once in a while to count the # of lines.
Roll the file at midnight or whatever, or do grep -c (might want -tttt on
tcpdump for a more useful date/time stamp) [2] for stats.

Or, you can use snort in sniffer mode more or less the same way.  It really
doesn't matter except snort output is more than 1 line per packet, so you have
to grep for something instead of wc -l.

Fianl note: I threw in 445 for my tests for the heck of it, but no hits.  It
probably doesn't matter.

Later,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows XP or better, so I installed
Linux..."


[0] tcpdump -vn tcp dst port 135 or 445
tcpdump: listening on eth0

16:37:21.603786 66.91.87.87.1875 > 66.xxx.xxx.115.135: S [tcp sum ok]
2153621246:2153621246(0) win 64240 <mss 1460,nop,wscale 0,nop,nop,timestamp 0
0,nop,nop,sackOK> (DF) (ttl 113, id 53801, len 64)

16:37:22.253808 66.91.87.87.1875 > 66.xxx.xxx.115.135: S [tcp sum ok]
2153621246:2153621246(0) win 64240 <mss 1460,nop,wscale 0,nop,nop,timestamp 0
0,nop,nop,sackOK> (DF) (ttl 113, id 53808, len 64)

16:37:22.843828 66.91.87.87.1875 > 66.xxx.xxx.115.135: S [tcp sum ok]
2153621246:2153621246(0) win 64240 <mss 1460,nop,wscale 0,nop,nop,timestamp 0
0,nop,nop,sackOK> (DF) (ttl 113, id 53811, len 64)

16:42:40.654408 66.236.51.253.1471 > 66.xxx.xxx.115.135: S [tcp sum ok]
4180333263:4180333263(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 115, id
11013, len 48)

16:42:43.514503 66.236.51.253.1471 > 66.xxx.xxx.115.135: S [tcp sum ok]
4180333263:4180333263(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 115, id
11929, len 48)

16:42:44.324530 66.236.51.253.1471 > 66.xxx.xxx.115.135: S [tcp sum ok]
4180333263:4180333263(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 115, id
12362, len 48)

16:43:16.635606 66.91.10.62.4282 > 66.xxx.xxx.115.135: S [tcp sum ok]
1158136890:1158136890(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 113, id
31655, len 48)

16:43:59.967048 66.92.248.212.2993 > 66.xxx.xxx.115.135: S [tcp sum ok]
1929304233:1929304233(0) win 65268 <mss 1332,nop,nop,sackOK> (DF) (ttl 116, id
3796, len48)

16:44:00.497066 66.92.248.212.2993 > 66.xxx.xxx.115.135: S [tcp sum ok]
1929304233:1929304233(0) win 65268 <mss 1332,nop,nop,sackOK> (DF) (ttl 116, id
3813, len48)

16:44:01.147087 66.92.248.212.2993 > 66.xxx.xxx.115.135: S [tcp sum ok]
1929304233:1929304233(0) win 65268 <mss 1332,nop,nop,sackOK> (DF) (ttl 116, id
3816, len48)



[1] # packets to hit honeypot:135 (TCP) by date in August 2003
Date            Count   /hr     EST. Attacks
2003-08-01:     13      0/hr    6
2003-08-02:     8       0/hr    4
2003-08-03:     11      0/hr    5
2003-08-04:     9       0/hr    4
2003-08-05:     47      1/hr    23
2003-08-06:     67      2/hr    33
2003-08-07:     11      0/hr    5
2003-08-08:     12      0/hr    6
2003-08-09:     12      0/hr    6
2003-08-10:     37      1/hr    18
2003-08-11:     771     32/hr   385
2003-08-12:     1695    70/hr   847
2003-08-13:     1142    47/hr   571
2003-08-14:     1219    50/hr   609
2003-08-15:     713     44/hr   356
Current up to: 2003-08-15 16:42:52-0400
Note 1: Est. Attacks assumes 2 packets per attack. That is--an ESTIMATE!
Note 2: The last entry is also a rough estimate...


[2] tcpdump -vntttt tcp dst port 135 or 445
tcpdump: listening on eth0

08/15/2003 20:53:54.126828 66.91.61.223.3338 > 66.xxx.xxx.115.135: S [tcp sum
ok] 178932069:178932069(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) (ttl 114,
id 41730, len 48)

08/15/2003 20:53:54.776850 66.91.61.223.3338 > 66.xxx.xxx.115.135: S [tcp sum
ok] 178932069:178932069(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) (ttl 114,
id 41750, len 48)

08/15/2003 20:53:55.376870 66.91.61.223.3338 > 66.xxx.xxx.115.135: S [tcp sum
ok] 178932069:178932069(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) (ttl 114,
id 41752, len 48)






More information about the Snort-sigs mailing list