[Snort-sigs] no references to MS04-011 in 2.1 NetBIOS ruleset?

Martin Roesch roesch at ...435...
Sun May 2 17:50:00 EDT 2004

On May 1, 2004, at 5:31 PM, Jason Haar wrote:

> Hi there
> The LSASS exploit SASSER is on the loose, and I went to check if Snort 
> would
> detect it. There are several rules for matching MS04-011 in 
> IMAP/HTTP/etc -
> but no reference to it in netbios.rules! So I get it's safe to say 
> Snort
> can't detect SASSER exploiting  the MS04-011 vuln at the moment?

No, it can.

SID 2466 will detect infected hosts attempting to access an 
administrative share on a Windows based machine. This rule will 
generate events due to Sasser worm activity in 2.1.x and above.

SID 2514 will detect infected hosts attempting to compromise other 
hosts via the LSASS vulnerability. This rule will
generate multiple events due to Sasser worm activity but it looks like 
it's only available in CURRENT

> The CURRENT ruleset does have references, so any idea when they become
> "official"?

They're "official" in that they're out in CURRENT, dunno why they 
haven't been backported in the 2.1 snapshot unless there's an issue 
with flowbits functionality in 2.1.2+, I'll ask Caswell.

2514 (and 2512 which is required for 2514 to fire) probably work in 
2.1.2, I just did an informal test with the 2.1.2 release and it 
accepted the rules without barfing (I don't have pcaps of the worm to 
test functionality with at this point...)


Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...435... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

More information about the Snort-sigs mailing list