[Snort-sigs] Rule: Bugbear.B Network Share Scan

Tom.Mclaughlin at ...1486... Tom.Mclaughlin at ...1486...
Mon Jul 28 15:27:05 EDT 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule: 
alert tcp any any -> any 139 (content:"SMBs"; content:"|5C 00|$|00|C|00|"; 
nocase; dsize<512; msg:"SMB Connect to $C Share"; sid:1000033; rev:1;)
alert tcp any any -> any 445 (content:"SMB2"; content:"|5C 00|$|00|C|00|"; 
nocase; dsize<512; msg:"SMB Connect to $C Share"; sid:1000034; rev:1;)

--
Sid:

--
Summary:
Bugbear.B worm share scan.
--
Impact:

--
Detailed Information:
Bugbear.B at ...110... seems to have a bug in it. These two rules should catch 
Bugbear.B attempting to connect to \$C on remote shares.
In the above rule I removed the sid since I am using >1,000,000 for this 
rule
--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:
Sometimes someone will mistype \C$ and you'll get an alert. 
--
False Negatives:

--
Corrective Action:

--
Contributors:
Tom McLaughlin
tom.mclaughlin at ...1486...
-- 
Additional References:
http://www.f-secure.com/v-descs/bugbear_b.shtml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030728/076048f9/attachment.html>


More information about the Snort-sigs mailing list