[Snort-sigs] Rule: Bugbear.B Network Share Scan

Tinsley Paul Paul.Tinsley at ...1517...
Mon Jul 28 16:44:05 EDT 2003


That is pretty misleading, that could also just happen to be somebody trying
to connect to the C$ share, i wouldn't call this a worm scan, there are
legitimate things that do this.

-----Original Message-----
From: Tom.Mclaughlin at ...1486... [mailto:Tom.Mclaughlin at ...1486...]
Sent: Monday, July 28, 2003 5:14 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Rule: Bugbear.B Network Share Scan



# This is a template for submitting snort signature descriptions to 
# the snort.org website 
# 
# Ensure that your descriptions are your own 
# and not the work of others.  References in the rules themselves 
# should be used for linking to other's work. 
# 
# If you are unsure of some part of a rule, use that as a commentary 
# and someone else perhaps will be able to fix it. 
# 
# $Id$ 
# 
# 

Rule:   
alert tcp any any -> any 139 (content:"SMBs"; content:"|5C 00|$|00|C|00|";
nocase; dsize<512; msg:"SMB Connect to $C Share"; sid:1000033; rev:1;) 
alert tcp any any -> any 445 (content:"SMB2"; content:"|5C 00|$|00|C|00|";
nocase; dsize<512; msg:"SMB Connect to $C Share"; sid:1000034; rev:1;) 

-- 
Sid: 

-- 
Summary: 
Bugbear.B worm share scan. 
-- 
Impact: 

-- 
Detailed Information: 
Bugbear.B at ...110... seems to have a bug in it. These two rules should catch
Bugbear.B attempting to connect to \$C on remote shares. 
In the above rule I removed the sid since I am using >1,000,000 for this
rule 
-- 
Attack Scenarios: 

-- 
Ease of Attack: 

-- 
False Positives: 
Sometimes someone will mistype \C$ and you'll get an alert. 
-- 
False Negatives: 

-- 
Corrective Action: 

-- 
Contributors: 
Tom McLaughlin 
tom.mclaughlin at ...1486... 
-- 
Additional References: 
http://www.f-secure.com/v-descs/bugbear_b.shtml

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030728/4bdbe5ae/attachment.html>


More information about the Snort-sigs mailing list