[Snort-sigs] Updated BLASTER TFTP rules

Brian bmc at ...95...
Wed Aug 20 01:14:07 EDT 2003


On Wed, Aug 20, 2003 at 11:52:27AM +1200, Jason Haar wrote:
> The existing TFTP rules I've seen around for BLASTER don't appear to be
> correct, and don't account for the newer varients that use different filenames.

Duh.  Don't use the specific to this worm rules.  Why must you know
which variant that caused you to get owned?  You have to reinstall the
box anyway.

There is a generic TFTP GET rule, you should use that rule and filer out
the tftp traffic that IS allowed on your network and alert on anything
else.

Just because you don't see "DCOM OWNED YOUR ASS!%)*@%" in a rule message
doesn't mean the rule isn't there.  CVE is a good thing.  Use it.

-brian




More information about the Snort-sigs mailing list