eltra1n <larry.wichman@gmail.com> writes:
I had a user log on to my remote access VPN, the users machine was
doing TCP-sweeps on port 445 and I think it may have been infected
with MS Blaster. Does anyone have a suggestion on how I can detect
this type of traffic with Snort. I am thinking of writing a sig that
looks for port 445 traffic and setting a very high threshold, it would
be nice to to re-invent the wheel though. Thanks in advance.
Blaster, the original, does not use 445/tcp for propagation, it uses
135/tcp.
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
I'm using standard and bleeding snort sigs, and a script to tail
portscan.log - let me know if you'd like a copy.
Later worms such as Korgo and Sasser do use 445/tcp - and also scan a
lot more aggressively than Blaster did - and also trojans such as the
RxBot variants.
(Bleedingsnort.com has good rules for Lsasrv.dll exploits, IRC traffic
from trojans and Korgo.P executable transfers.)
What's in portscan.log if you grep for the problem IP address?
cheers,
Jamie
--
James Riden / j.riden@massey.ac.nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
