[Snort-sigs] Updated BLASTER TFTP rules

Jason Haar Jason.Haar at ...651...
Tue Aug 19 20:05:07 EDT 2003


The existing TFTP rules I've seen around for BLASTER don't appear to be
correct, and don't account for the newer varients that use different filenames.

I threw out those rules, wrote my own, and the following appear to work as
intended.

Note: the sids are wrong because I just poached them from an e-mail from
this list. In fact, now that I look, there are STILL NO OFFICIAL SNORT RULES
FOR THIS RPC-BASED attack! I see no rules for "blast" and no rules for "dcom".

All the media/press appears to refer to snort rules, and I don't see any.

Is someone putting the RPC/DCOM ones in, or shall I bung in the ones I have
(that work well), and let us fight it out afterwards???

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-sigs mailing list