[Snort-sigs] Rule: Bugbear.B Network Share Scan

Tom.Mclaughlin at ...1486... Tom.Mclaughlin at ...1486...
Mon Jul 28 17:30:07 EDT 2003


The \$C is not the same as the \C$. It's a bug in Bugbear.
I've caught several cases of Bugbear.B at ...110... with this rule. 
So far I haven't gotten a false positive. Not that I don't expect one 
occasionally.


-Tom






Tinsley Paul <Paul.Tinsley at ...1517...>
07/28/2003 04:43 PM

 
        To:     Tom McLaughlin/CA/KAIPERM at ...1715..., snort-sigs at lists.sourceforge.net
        cc: 
        Subject:        RE: [Snort-sigs] Rule: Bugbear.B Network Share Scan


That is pretty misleading, that could also just happen to be somebody 
trying to connect to the C$ share, i wouldn't call this a worm scan, there 
are legitimate things that do this.
-----Original Message-----
From: Tom.Mclaughlin at ...1486... [mailto:Tom.Mclaughlin at ...1486...]
Sent: Monday, July 28, 2003 5:14 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Rule: Bugbear.B Network Share Scan


# This is a template for submitting snort signature descriptions to 
# the snort.org website 
# 
# Ensure that your descriptions are your own 
# and not the work of others.  References in the rules themselves 
# should be used for linking to other's work. 
# 
# If you are unsure of some part of a rule, use that as a commentary 
# and someone else perhaps will be able to fix it. 
# 
# $Id$ 
# 
# 

Rule:   
alert tcp any any -> any 139 (content:"SMBs"; content:"|5C 00|$|00|C|00|"; 
nocase; dsize<512; msg:"SMB Connect to $C Share"; sid:1000033; rev:1;) 
alert tcp any any -> any 445 (content:"SMB2"; content:"|5C 00|$|00|C|00|"; 
nocase; dsize<512; msg:"SMB Connect to $C Share"; sid:1000034; rev:1;) 

-- 
Sid: 

-- 
Summary: 
Bugbear.B worm share scan. 
-- 
Impact: 

-- 
Detailed Information: 
Bugbear.B at ...110... seems to have a bug in it. These two rules should catch 
Bugbear.B attempting to connect to \$C on remote shares. 
In the above rule I removed the sid since I am using >1,000,000 for this 
rule 
-- 
Attack Scenarios: 

-- 
Ease of Attack: 

-- 
False Positives: 
Sometimes someone will mistype \C$ and you'll get an alert. 
-- 
False Negatives: 

-- 
Corrective Action: 

-- 
Contributors: 
Tom McLaughlin 
tom.mclaughlin at ...1486... 
-- 
Additional References: 
http://www.f-secure.com/v-descs/bugbear_b.shtml

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030728/f4981e0c/attachment.html>


More information about the Snort-sigs mailing list