[Snort-users] How to Triggering Windows Exploits?

Hendo hendo at ...3663...
Wed May 26 06:27:25 EDT 2004


Perhaps this line of thinking will help...

The windows attacks(and all other attacks) that use TCP for transport
have to establish a connection to kick off their attack. So for things
like blaster and sasser, only machines offering up TCP 135(RPC) or
445(SMB) would allw a connection to be established and then the attack
could the proceed. You'd pick up the attacks only on those machines
offering those tcp services.

If you had nothing but 'nix running with no SAMBA, its likely that you
would never see a blaster attack or sasser attack on that network. You'd
see the port scan on the  respective ports but the machines would not be
listening on those ports and would send RST packets back, causing the
worm to move on to the next target.

UDP. 

Slammer uses one packet of UDP to deliver its attack and it doesn't
matter what OS you'd be running, since UDP is stateless and no response
is required. I call it the drive-by exploit..

You would see these attacks regardless of OS on the wire. Same for all
attacks that use stateless protocols like ICMP

I hope this helps

Dennis




Date: Tue, 25 May 2004 15:30:28 -0700
From: ids at ...8382...
Subject: Re: RE: [Snort-users] How to Triggering Windows Exploits?
To: Joshua Berry <jberry at ...11848...>
Cc: snort-users at lists.sourceforge.net
Reply-to: ids at ...8382...

Hi Joshua,

Your answer is a little bit different from what I was asking. Let me
elaborate a little. Are the rules written in a way that requires a
targeted computer have to respond to an attack or something of that
nature for Snort to issue an alert. I have yet to see my Snort sensor
alert me to any MS exploits (various network worms such as Sasser,
blaster...etc) . I assumed the reason for this was because there are no
Windows PC connected to the network Snort is sensing on. Another test I
ran to see if Snort would issue an alert was the Cisco exploits. I do
not have any Cisco devices on my network but I attempted to trigger an
alert my hitting an IP on the protected network with the PERL script. No
alerts. Do I have to have the appropriate Cisco deivce to trigger the
alert? Just a side note I'm using the most current rules for Snort
(inluding the rules to detect the Cisco exploits) for testing and
information gathering.


Any help on this I would greatly appreciate!


Alan





More information about the Snort-users mailing list