[Snort-sigs] Possible new strain of Blaster or is it a false positive?

Compton, Rich RCompton at ...1352...
Wed Aug 27 13:44:02 EDT 2003


I am also seeing false positives on this coming from a Unix box that uses
this port for HP Openview reporting.  
Anyone else see this?

-Rich Compton

-----Original Message-----
From: Marty.Bostick at ...495... [mailto:Marty.Bostick at ...495...]
Sent: Friday, August 22, 2003 3:52 PM
To: daniel uriah clemens
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Possible new strain of Blaster or is it a
false positive?






I have verified that this rule(s) is not being triggered by regular print
traffic that we have tested.

Marty Bostick



 

                      daniel uriah clemens

                      <daniel_clemens at ...1803...         To:
Marty.Bostick at ...495...                                
                      ragard.org>                                   cc:

                      Sent by:                                      Subject:
Re: [Snort-sigs] Possible new strain of Blaster or is it a  
                      daniel_clemens at ...1804...         false
positive?                                                      
                      rg

 

 

                      08/22/2003 10:49 AM

 

 





Marty,
Have you tried printing something over the wire to see if it trips up?


-Dan
> Could someone please verify that the following signatures do not cause
> false positive alerts with printing?  If they do not, I may be seeing
> something new!
>
> Thanks
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 135 \
> (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; \
> flow:to_server,established; content:"|05|"; distance:0; \
> within:1; content:"|0b|"; distance:1; within:1; \
> byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00
> 00 00 00 46|";\
> distance:29; within:16; reference:cve,CAN-2003-0352;\
> classtype:attempted-admin; sid:2192; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 135 \
> (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; \
> flow:to_server,established; content:"|05|"; distance:0; \
> within:1; content:"|0b|"; distance:1; within:1; \
> byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00
> 00 00 00 46|";\
> distance:29; within:16; reference:cve,CAN-2003-0352;\
> classtype:attempted-admin; sid:2192; rev:1;)
>
> Marty Bostick
>
>
> -----------------------------------------
> Confidentiality Notice: This e-mail communication and any attachments may
contain confidential and privileged information for the use of the
designated recipients named above. If you are not the intended recipient,
you are hereby notified that you have received this communication in error
and that any review, disclosure, dissemination, distribution or copying of
it or its contents is prohibited. If you have received this communication
in error, please notify me immediately by replying to this message and
deleting it from your computer. Thank you.
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: VM Ware
> With VMware you can run multiple operating systems on a single machine.
> WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
> at the same time. Free trial click here:
http://www.vmware.com/wl/offer/358/0
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>

-Daniel Uriah Clemens

Esse quam videra
     (to be, rather than to appear)
                          -Moments of Sorrow are Moments of Sobriety
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD






-----------------------------------------
Confidentiality Notice: This e-mail communication and any attachments may
contain confidential and privileged information for the use of the
designated recipients named above. If you are not the intended recipient,
you are hereby notified that you have received this communication in error
and that any review, disclosure, dissemination, distribution or copying of
it or its contents is prohibited. If you have received this communication in
error, please notify me immediately by replying to this message and deleting
it from your computer. Thank you.



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list