(long, slightly OT) Re: [Snort-sigs] Blaster Alert-False Nega tive?

Bartholomew, Brian J BartholomewBJ at ...1764...
Tue Aug 19 05:13:05 EDT 2003


Thank you all for the responses.  Turns out you all are right on the money.
Since there are no responses to the initial scanning leaving our FWs, we
have not seen an attempt to exploit a box since the worm came out.  Thank
God for proxies!  Anyway, what I have been doing is counting the number of
inbound requested sessions to the ports used by the worm in hopes to get an
estimated number of scans.  Problem is, we see tons of port 135 scans
everyday anyway, so this really doesn't give a good number, but it is at
least something tangible to show.  Thanks again for the help!

Brian J. Bartholomew
U.S. Dept of State, Bureau of Diplomatic Security
Computer Incident Response Team
(571)345-2654


-----Original Message-----
From: JP Vossen [mailto:vossenjp at ...1431...]
Sent: Friday, August 15, 2003 4:58 PM
To: Snort Sigs Mailing List
Cc: BartholomewBJ at ...1764...
Subject: (long, slightly OT) Re: [Snort-sigs] Blaster Alert-False
Negative?


> From: "Bartholomew, Brian J" <BartholomewBJ at ...1764...>
> To: "'snort-sigs at lists.sourceforge.net'"
> Date: Wed, 13 Aug 2003 11:10:21 -0400
> Subject: [Snort-sigs] Blaster Alert-False Negative?
>
> 	I have a request that has been given to me to detect and report the
> number of times we see this worm attempting to propagate to our systems.
I
> have implemented the "official" signatures 2192 and 2193, but have yet to
> see it trigger.  Does this worm first try to get a response back on port
135
> or 445 before attempting this exploit, or does it just flood the Internet
> with exploit attempts blindly?

Other posters have answers the Snort rules and 3-way handshake issues very
well.  But here is another thought.  First how accurate do you need to be?
I've been monitoring this via my honeypot (which is a 486 on an iDSL line,
so
we're not talking lots of resources here).  I'm tracking hits to tcp dst
port
135, then dividing by 2.  My honeypot DOES answer on 135/TCP, but it does
not
answer with a true MS RPC/EPMapper, so I tend to see a SYN come in, and then
I
send out an ACK,RST.  So for my purposes, 2 packets with 135/TCP = 1
"attack."
But 1 incoming packet = 1 attack more or less, so far.

So why not just stick a machine outside the firewall running tcpdump?
Needless to say, use a hardened box, but tcpdump runs on UNIX or Windows
(well, Windump).  As I started typing this message, I fired it up on my
honeypot.  In the time it took to write this message, I got this [0].

The advantage to using tcpdump is that it's simple, and there is almost no
configuration, rules, tweaking, etc.  The disadvantage is that it's less
accurate.  However, for my honeypot I've had next to zero 135/TCP traffic
UNTIL DCOM/Blaster, so if you can live with a +- 3 packets a day error...
Here are my month-to-date stats [1].  But last month was next to nothing
excpet for a burst on the 20th or so.

Basically, do something like this:
	tcpdump -vn tcp dst port 135 > Blaster.log

Then, 'wc -l Blaster.log' every once in a while to count the # of lines.
Roll the file at midnight or whatever, or do grep -c (might want -tttt on
tcpdump for a more useful date/time stamp) [2] for stats.

Or, you can use snort in sniffer mode more or less the same way.  It really
doesn't matter except snort output is more than 1 line per packet, so you
have
to grep for something instead of wc -l.

Fianl note: I threw in 445 for my tests for the heck of it, but no hits.  It
probably doesn't matter.

Later,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows XP or better, so I installed
Linux..."


[0] tcpdump -vn tcp dst port 135 or 445
tcpdump: listening on eth0

16:37:21.603786 66.91.87.87.1875 > 66.xxx.xxx.115.135: S [tcp sum ok]
2153621246:2153621246(0) win 64240 <mss 1460,nop,wscale 0,nop,nop,timestamp
0
0,nop,nop,sackOK> (DF) (ttl 113, id 53801, len 64)

16:37:22.253808 66.91.87.87.1875 > 66.xxx.xxx.115.135: S [tcp sum ok]
2153621246:2153621246(0) win 64240 <mss 1460,nop,wscale 0,nop,nop,timestamp
0
0,nop,nop,sackOK> (DF) (ttl 113, id 53808, len 64)

16:37:22.843828 66.91.87.87.1875 > 66.xxx.xxx.115.135: S [tcp sum ok]
2153621246:2153621246(0) win 64240 <mss 1460,nop,wscale 0,nop,nop,timestamp
0
0,nop,nop,sackOK> (DF) (ttl 113, id 53811, len 64)

16:42:40.654408 66.236.51.253.1471 > 66.xxx.xxx.115.135: S [tcp sum ok]
4180333263:4180333263(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 115,
id
11013, len 48)

16:42:43.514503 66.236.51.253.1471 > 66.xxx.xxx.115.135: S [tcp sum ok]
4180333263:4180333263(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 115,
id
11929, len 48)

16:42:44.324530 66.236.51.253.1471 > 66.xxx.xxx.115.135: S [tcp sum ok]
4180333263:4180333263(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 115,
id
12362, len 48)

16:43:16.635606 66.91.10.62.4282 > 66.xxx.xxx.115.135: S [tcp sum ok]
1158136890:1158136890(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 113,
id
31655, len 48)

16:43:59.967048 66.92.248.212.2993 > 66.xxx.xxx.115.135: S [tcp sum ok]
1929304233:1929304233(0) win 65268 <mss 1332,nop,nop,sackOK> (DF) (ttl 116,
id
3796, len48)

16:44:00.497066 66.92.248.212.2993 > 66.xxx.xxx.115.135: S [tcp sum ok]
1929304233:1929304233(0) win 65268 <mss 1332,nop,nop,sackOK> (DF) (ttl 116,
id
3813, len48)

16:44:01.147087 66.92.248.212.2993 > 66.xxx.xxx.115.135: S [tcp sum ok]
1929304233:1929304233(0) win 65268 <mss 1332,nop,nop,sackOK> (DF) (ttl 116,
id
3816, len48)



[1] # packets to hit honeypot:135 (TCP) by date in August 2003
Date            Count   /hr     EST. Attacks
2003-08-01:     13      0/hr    6
2003-08-02:     8       0/hr    4
2003-08-03:     11      0/hr    5
2003-08-04:     9       0/hr    4
2003-08-05:     47      1/hr    23
2003-08-06:     67      2/hr    33
2003-08-07:     11      0/hr    5
2003-08-08:     12      0/hr    6
2003-08-09:     12      0/hr    6
2003-08-10:     37      1/hr    18
2003-08-11:     771     32/hr   385
2003-08-12:     1695    70/hr   847
2003-08-13:     1142    47/hr   571
2003-08-14:     1219    50/hr   609
2003-08-15:     713     44/hr   356
Current up to: 2003-08-15 16:42:52-0400
Note 1: Est. Attacks assumes 2 packets per attack. That is--an ESTIMATE!
Note 2: The last entry is also a rough estimate...


[2] tcpdump -vntttt tcp dst port 135 or 445
tcpdump: listening on eth0

08/15/2003 20:53:54.126828 66.91.61.223.3338 > 66.xxx.xxx.115.135: S [tcp
sum
ok] 178932069:178932069(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) (ttl
114,
id 41730, len 48)

08/15/2003 20:53:54.776850 66.91.61.223.3338 > 66.xxx.xxx.115.135: S [tcp
sum
ok] 178932069:178932069(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) (ttl
114,
id 41750, len 48)

08/15/2003 20:53:55.376870 66.91.61.223.3338 > 66.xxx.xxx.115.135: S [tcp
sum
ok] 178932069:178932069(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) (ttl
114,
id 41752, len 48)





More information about the Snort-sigs mailing list