[Snort-sigs] no references to MS04-011 in 2.1 NetBIOS ruleset?

Eric Jacobsen jacobsen at ...437...
Sun May 2 19:03:00 EDT 2004


Jason Haar wrote:
> 
>>>The CURRENT ruleset does have references, so any idea when they become
>>>"official"?
>>
>>They're "official" in that they're out in CURRENT, dunno why they 
>>haven't been backported in the 2.1 snapshot unless there's an issue 
>>with flowbits functionality in 2.1.2+, I'll ask Caswell.
> 
> 
> This terminology of CURRENT is really confusing. I just went through this in
> snort-sigs. "CURRENT" actually means "beta", and "snapshot-2.1" is
> actually "current". Is that correct? You saying "backported" implies
> "snapshot-2.1" is somehow "old" - now I'm really confused... :-)

I noticed recently that the MS04-011 stuff wasn't included the
2.1 (or 2.0) snapshots.  I noticed that when I loaded a 2.1.1
snort up with "CURRENT" it started complaining loudly over
flowbits stuff, so as Marty suggested these rules may not be
getting backported due to that.

Specific to Sasser, I put together two rules that work for variants
a, b, and c.  The first signature detects the sasser ftp command on
its backdoor port (9996):

alert tcp $HOME_NET any -> any 9996 ( msg:"Sasser ftp script to transfer 
up.exe"; content:"|5F75702E657865|"; depth:250; flags:A+; classtype: 
misc-activity; sid:1000000; rev:3;)

The second signature will trigger on the actual ftp download on port 5554:

alert tcp any any -> $HOME_NET 5554 ( msg:"Sasser binary transfer get 
up.exe"; content:"|5F75702E657865|"; depth:250; flags:A+; classtype: 
misc-activity; sid:1000001; rev:1;)

[These were posted on incidents.org].

I put them in my local.rules file using reserved local sids, but I'm
happy to contribute them to the base [really just don't know how].

They will work for 2.0.x and 2.1.x (and the 1.x branches probably).
There might be slightly better ways to write them, but they've
shown to be effective as is.

Note that I've organized the "HOME_NET" placement to tell me which
hosts on my HOME_NET are infected, which is what I like to know
about.  You can swap some "any"s in there to find out about any
attack from any host (and maybe get more false positives).

------------------------------------------------------------
Eric Jacobsen				  jacobsen at ...437...
Office of Information Technology	  (617) 353-2780
Boston University			  http://www.bu.edu
------------------------------------------------------------






More information about the Snort-sigs mailing list