[Snort-sigs] Blaster Alert-False Negative?

Jade E. Deane jade.deane at ...1778...
Sun Aug 17 12:35:04 EDT 2003


This brings up a question I've been kicking around for a while now...

I have a Snort sensor on a mirrored port where my very edge packet
filter sits.  This packet filter does not allow ANY ingress traffic that
isn't already established in it's egress state table.

The question is, what is a good solution for picking up attacks that
require a full TCP handshake?  Netcat?  Honeypot machine?

Regards,
Jade

On Thu, 2003-08-14 at 11:42, lordchariot at ...817... wrote:
> I, too, wanted to just count the probe attempts for this worm by
> trapping any 135/137/445 attempt. I believe snort won't trigger and
> alert unless it actually connects to something, that is why you are not
> seeing any alerts. (flow:to_server,established)
> 
> I put the following in my experimental.rules and it seems to be working:
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"NETBIOS Name Query
> Probe (137/udp)"; classtype:attempted-recon; )
> alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"MS-RPC Probe
> (135/tcp)"; classtype:attempted-recon; )
> alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"microsoft-ds Probe
> (445/tcp)"; classtype:attempted-recon; )
> 
> 
> This won't positively identify any specific worm or variant, just a
> generic probe attempt at these ports. 
> 
> Give it a try. Good luck.
> Erik
> _________________________________________________ 
> Erik Elsasser                  System Engineering 
> CyberGuard Corporation           Northeast Region 
> 
> 
> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of
> Bartholomew, Brian J
> Sent: Wednesday, August 13, 2003 11:10 AM
> To: 'snort-sigs at lists.sourceforge.net'
> Subject: [Snort-sigs] Blaster Alert-False Negative?
> 
> 
> Ladies and Gents,
> 
> 	I have a request that has been given to me to detect and report
> the
> number of times we see this worm attempting to propagate to our systems.
> I
> have implemented the "official" signatures 2192 and 2193, but have yet
> to
> see it trigger.  Does this worm first try to get a response back on port
> 135
> or 445 before attempting this exploit, or does it just flood the
> Internet
> with exploit attempts blindly?
> 
> 	I have a feeling that I am missing something here.  I find it
> hard
> to believe that we have not seen one Blaster attempt since 0800 this
> morning.  One thing that may be causing the non-alerts is the fact that
> any
> requests to our FW are dropped if on port 135 or 445, but the Snort
> device
> is outside the FW.  That why I was wondering if the "infected" machine
> needed a response before continuing with this exploit.  Any help would
> be
> greatly appreciated.  Please reply to this address as I am not
> subscribed to
> the list.  I just occasionally peruse via the web interface.  
> 
> Brian J. Bartholomew
> U.S. Dept of State, Bureau of Diplomatic Security
> Computer Incident Response Team
> (571)345-2654
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
> http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01
> /01
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
> http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030817/bfcbd9a9/attachment.sig>


More information about the Snort-sigs mailing list