[Snort-sigs] TCP sweeps

James Riden j.riden at ...1766...
Tue Dec 14 11:15:03 EST 2004


"Matt Jonkman" <mjonkman at ...2436...> writes:

> We just recently had a similar discussion on the Bleedingsnort site.
>
> http://www.bleedingsnort.com/forum/viewtopic.php?forum=3&showtopic=363 
>
>
> We decided in local testing these rules would be of significant value, but
> they're not something we can have turned on in a default ruleset. It would
> have to be left to each local admin to make the decision which rules are
> good for their net, and more specifically what sensors they'd be able to run
> which on.
>
> I will make us the rules for this, but they'll be disabled by default in the
> bleeding rules. You'll have to specifically decide locally where they should
> go. I'll have this posted in just a few minutes. The rules going up are:
>

[snip rules for ports 135,137,139,445,1433,1434]

> Any suggestions on other ports to watch in this manner?

http://www.nitroguard.com/rxbot.html

  RXBOT has the ability to scan for hosts that are affected by the
  following vulnerabilities:

    * MS04-011 Microsoft LSASS Buffer Overrun
    * MS03-026 Microsoft Buffer Overrun in RPC
    * MS03-007 Microsoft Unchecked Buffer in WebDAV
    * MS03-001 Microsoft Unchecked Buffer in RPC
    * MS01-059 Microsoft Unchecked Buffer in Universal Plug and Play 

Off the top of my head, I think WebDAV would be 80/tcp and UPnP is
5001/udp ?

Talking of RxBot, anyone want to check these over and maybe add them
in to bleeding.rules? 

alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE
IRC Trojan Reporting (mssql)"; content:"PRIVMSG"; nocase;
content:"mssql"; nocase; within:80; tag:session, 20, packets;
classtype:trojan-activity; flow:to_server,established; sid:???????;
rev:1;)

alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE
IRC Trojan Reporting (file transfer)"; content:"PRIVMSG"; nocase;
content:"File transfer complete to IP"; nocase; within:80; tag:session, 20, packets;
classtype:trojan-activity; flow:to_server,established; sid:???????;
rev:1;)

Example of second (first is just a different scan type on existing
rule).

------------------------------------------------------------------------------
#(1 - 104014) [2004-12-14 12:33:07.596] [snort/1]  Tagged Packet
IPv4: 130.123.xx.yy -> 129.78.ccc.dd
      hlen=5 TOS=0 dlen=145 ID=17069 flags=0 offset=0 TTL=128 chksum=63114
TCP:  port=1101 -> dport: 37337  flags=***AP*** seq=121578580
      ack=3313702052 off=5 res=0 win=15815 urp=0 chksum=38868
Payload:  length = 105

000 : 50 52 49 56 4D 53 47 20 23 21 75 72 78 2D 65 78   PRIVMSG #!urx-ex
010 : 20 3A 5B 46 54 50 5D 3A 20 46 69 6C 65 20 74 72    :[FTP]: File tr
020 : 61 6E 73 66 65 72 20 63 6F 6D 70 6C 65 74 65 20   ansfer complete 
030 : 74 6F 20 49 50 3A 20 31 33 30 2E 31 32 33 2E aa   to IP: 130.123.a
040 : aa 2E bb bb bb 20 28 43 3A 5C 57 49 4E 4E 54 5C   a.bbb (C:\WINNT\
050 : 53 79 73 74 65 6D 33 32 5C 45 78 70 6C 6F 72 65   System32\Explore
060 : 72 2E 65 78 65 29 2E 0D 0A                        r.exe)...

cheers,
 Jamie
-- 
James Riden / j.riden at ...1766... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/






More information about the Snort-sigs mailing list