[Snort-sigs] Possible new strain of Blaster or is it a false positive?

Marty.Bostick at ...495... Marty.Bostick at ...495...
Fri Aug 22 13:59:47 EDT 2003




I have verified that this rule(s) is not being triggered by regular print
traffic that we have tested.

Marty Bostick



                                                                                                                                         
                      daniel uriah clemens                                                                                               
                      <daniel_clemens at ...1803...         To:      Marty.Bostick at ...495...                                
                      ragard.org>                                   cc:                                                                  
                      Sent by:                                      Subject: Re: [Snort-sigs] Possible new strain of Blaster or is it a  
                      daniel_clemens at ...1804...         false positive?                                                      
                      rg                                                                                                                 
                                                                                                                                         
                                                                                                                                         
                      08/22/2003 10:49 AM                                                                                                
                                                                                                                                         
                                                                                                                                         




Marty,
Have you tried printing something over the wire to see if it trips up?


-Dan
> Could someone please verify that the following signatures do not cause
> false positive alerts with printing?  If they do not, I may be seeing
> something new!
>
> Thanks
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 135 \
> (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; \
> flow:to_server,established; content:"|05|"; distance:0; \
> within:1; content:"|0b|"; distance:1; within:1; \
> byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00
> 00 00 00 46|";\
> distance:29; within:16; reference:cve,CAN-2003-0352;\
> classtype:attempted-admin; sid:2192; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 135 \
> (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; \
> flow:to_server,established; content:"|05|"; distance:0; \
> within:1; content:"|0b|"; distance:1; within:1; \
> byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00
> 00 00 00 46|";\
> distance:29; within:16; reference:cve,CAN-2003-0352;\
> classtype:attempted-admin; sid:2192; rev:1;)
>
> Marty Bostick
>
>
> -----------------------------------------
> Confidentiality Notice: This e-mail communication and any attachments may
contain confidential and privileged information for the use of the
designated recipients named above. If you are not the intended recipient,
you are hereby notified that you have received this communication in error
and that any review, disclosure, dissemination, distribution or copying of
it or its contents is prohibited. If you have received this communication
in error, please notify me immediately by replying to this message and
deleting it from your computer. Thank you.
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: VM Ware
> With VMware you can run multiple operating systems on a single machine.
> WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
> at the same time. Free trial click here:
http://www.vmware.com/wl/offer/358/0
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>

-Daniel Uriah Clemens

Esse quam videra
     (to be, rather than to appear)
                          -Moments of Sorrow are Moments of Sobriety
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD






-----------------------------------------
Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it from your computer. Thank you.





More information about the Snort-sigs mailing list