[Snort-sigs] no references to MS04-011 in 2.1 NetBIOS ruleset?
Martin Roesch
roesch at ...435...
Sun May 2 17:50:00 EDT 2004
On May 1, 2004, at 5:31 PM, Jason Haar wrote:
> Hi there
>
> The LSASS exploit SASSER is on the loose, and I went to check if Snort
> would
> detect it. There are several rules for matching MS04-011 in
> IMAP/HTTP/etc -
> but no reference to it in netbios.rules! So I get it's safe to say
> Snort
> can't detect SASSER exploiting the MS04-011 vuln at the moment?
No, it can.
SID 2466 will detect infected hosts attempting to access an
administrative share on a Windows based machine. This rule will
generate events due to Sasser worm activity in 2.1.x and above.
SID 2514 will detect infected hosts attempting to compromise other
hosts via the LSASS vulnerability. This rule will
generate multiple events due to Sasser worm activity but it looks like
it's only available in CURRENT
> The CURRENT ruleset does have references, so any idea when they become
> "official"?
They're "official" in that they're out in CURRENT, dunno why they
haven't been backported in the 2.1 snapshot unless there's an issue
with flowbits functionality in 2.1.2+, I'll ask Caswell.
2514 (and 2512 which is required for 2514 to fire) probably work in
2.1.2, I just did an informal test with the 2.1.2 release and it
accepted the rules without barfing (I don't have pcaps of the worm to
test functionality with at this point...)
-Marty
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...435... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-sigs
mailing list