[Snort-sigs] NETBIOS nimda .eml

McCash, John John.McCash at ...2471...
Tue Jun 1 08:21:38 EDT 2004

Hello Everyone,
	Here's a proposal for an update to the 'NETBIOS nimda .eml' rule. Please feel free to dissect and discuss, but I think some sort of update to the false positives field, at least, is in order.

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml"; flow:to_server,established; content:"|00|.|00|E|00|M|00|L"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1293; rev:10;) 


This event is generated when traffic indicating Nimda worm activity is detected. Specificaly, this rule triggers when a file of type .eml (Outlook Express Internet Email Archive) is opened or copied across a Windows filesharing connection. (That's my reading anyway. I'm seeing alerts with traffic that looks like encapsulated email messages containing the .eml string from misc high ports to port 139. I believe they're windows filesharing file transfers. In any case, neither the source nor destination machines are infested by Nimda.)

Possible infection by the Nimda virus. 

Detailed Information:
Nimda spreads by file infection, mass emailer, file share, or IIS unicode exploit to attack unpatched systems. 

Affected Systems:
Windows 95
Windows 98
Windows ME
Windows 2000 

Attack Scenarios:
An unpatched server is connected to the internet and is infected or an infected email is opened. Once infected the worm spreads itself. 

Ease of Attack:

False Positives:
This rule triggers when any file of type .eml (Outlook Express Internet Email Archive) is opened or copied across a Windows filesharing connection. (I think. You might want to double check. I'm getting significant numbers of false positives, and I believe this is the cause)

False Negatives:
Only detects Nimda's filesharing spread mode.

Corrective Action:
Check the suspect host for signs of infection. Apply patches or upgrade the operating system 

Snort documentation contributed by Timothy Vienneau
Sourcefire Research Team
Brian Caswell <bmc at ...435...>
Nigel Houghton <nigel.houghton at ...435...> 
John McCash <john.mccash at ...2471...>

Additional References:
url: www.f-secure.com/v-descs/nimda.shtml <http://www.f-secure.com/v-descs/nimda.shtml>	 

This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise private information.  
If you have received it in error, please notify the sender
immediately and delete the original.  Any unauthorized use of
this email is prohibited.

More information about the Snort-sigs mailing list