[Snort-sigs] TCP sweeps

Matt Jonkman matt at ...2436...
Tue Dec 14 17:15:15 EST 2004


These look valuable, posting them in just a few minutes.

As for port 80, I don't think there'd be a good way to do that without a 
lot of falses, even in a slow network. For UPnP there are snort.org 
rules that'll get that pretty well I think.

Thanks James.

Matt

James Riden wrote:

>http://www.nitroguard.com/rxbot.html
>
>  RXBOT has the ability to scan for hosts that are affected by the
>  following vulnerabilities:
>
>    * MS04-011 Microsoft LSASS Buffer Overrun
>    * MS03-026 Microsoft Buffer Overrun in RPC
>    * MS03-007 Microsoft Unchecked Buffer in WebDAV
>    * MS03-001 Microsoft Unchecked Buffer in RPC
>    * MS01-059 Microsoft Unchecked Buffer in Universal Plug and Play 
>
>Off the top of my head, I think WebDAV would be 80/tcp and UPnP is
>5001/udp ?
>
>Talking of RxBot, anyone want to check these over and maybe add them
>in to bleeding.rules? 
>
>alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE
>IRC Trojan Reporting (mssql)"; content:"PRIVMSG"; nocase;
>content:"mssql"; nocase; within:80; tag:session, 20, packets;
>classtype:trojan-activity; flow:to_server,established; sid:???????;
>rev:1;)
>
>alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE
>IRC Trojan Reporting (file transfer)"; content:"PRIVMSG"; nocase;
>content:"File transfer complete to IP"; nocase; within:80; tag:session, 20, packets;
>classtype:trojan-activity; flow:to_server,established; sid:???????;
>rev:1;)
>
>Example of second (first is just a different scan type on existing
>rule).
>
>------------------------------------------------------------------------------
>#(1 - 104014) [2004-12-14 12:33:07.596] [snort/1]  Tagged Packet
>IPv4: 130.123.xx.yy -> 129.78.ccc.dd
>      hlen=5 TOS=0 dlen=145 ID=17069 flags=0 offset=0 TTL=128 chksum=63114
>TCP:  port=1101 -> dport: 37337  flags=***AP*** seq=121578580
>      ack=3313702052 off=5 res=0 win=15815 urp=0 chksum=38868
>Payload:  length = 105
>
>000 : 50 52 49 56 4D 53 47 20 23 21 75 72 78 2D 65 78   PRIVMSG #!urx-ex
>010 : 20 3A 5B 46 54 50 5D 3A 20 46 69 6C 65 20 74 72    :[FTP]: File tr
>020 : 61 6E 73 66 65 72 20 63 6F 6D 70 6C 65 74 65 20   ansfer complete 
>030 : 74 6F 20 49 50 3A 20 31 33 30 2E 31 32 33 2E aa   to IP: 130.123.a
>040 : aa 2E bb bb bb 20 28 43 3A 5C 57 49 4E 4E 54 5C   a.bbb (C:\WINNT\
>050 : 53 79 73 74 65 6D 33 32 5C 45 78 70 6C 6F 72 65   System32\Explore
>060 : 72 2E 65 78 65 29 2E 0D 0A                        r.exe)...
>
>cheers,
> Jamie
>  
>





More information about the Snort-sigs mailing list