"Matt Jonkman" <mjonkman@infotex.com> writes:
We just recently had a similar discussion on the Bleedingsnort site.
http://www.bleedingsnort.com/forum/viewtopic.php?forum=3&showtopic=363
We decided in local testing these rules would be of significant value, but
they're not something we can have turned on in a default ruleset. It would
have to be left to each local admin to make the decision which rules are
good for their net, and more specifically what sensors they'd be able to run
which on.
I will make us the rules for this, but they'll be disabled by default in the
bleeding rules. You'll have to specifically decide locally where they should
go. I'll have this posted in just a few minutes. The rules going up are:
[snip rules for ports 135,137,139,445,1433,1434]
Any suggestions on other ports to watch in this manner?
http://www.nitroguard.com/rxbot.html
RXBOT has the ability to scan for hosts that are affected by the
following vulnerabilities:
* MS04-011 Microsoft LSASS Buffer Overrun
* MS03-026 Microsoft Buffer Overrun in RPC
* MS03-007 Microsoft Unchecked Buffer in WebDAV
* MS03-001 Microsoft Unchecked Buffer in RPC
* MS01-059 Microsoft Unchecked Buffer in Universal Plug and Play
Off the top of my head, I think WebDAV would be 80/tcp and UPnP is
5001/udp ?
Talking of RxBot, anyone want to check these over and maybe add them
in to bleeding.rules?
alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE
IRC Trojan Reporting (mssql)"; content:"PRIVMSG"; nocase;
content:"mssql"; nocase; within:80; tag:session, 20, packets;
classtype:trojan-activity; flow:to_server,established; sid:???????;
rev:1;)
alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE
IRC Trojan Reporting (file transfer)"; content:"PRIVMSG"; nocase;
content:"File transfer complete to IP"; nocase; within:80; tag:session, 20,
packets;
classtype:trojan-activity; flow:to_server,established; sid:???????;
rev:1;)
Example of second (first is just a different scan type on existing
rule).
------------------------------------------------------------------------------
#(1 - 104014) [2004-12-14 12:33:07.596] [snort/1] Tagged Packet
IPv4: 130.123.xx.yy -> 129.78.ccc.dd
hlen=5 TOS=0 dlen=145 ID=17069 flags=0 offset=0 TTL=128 chksum=63114
TCP: port=1101 -> dport: 37337 flags=***AP*** seq=121578580
ack=3313702052 off=5 res=0 win=15815 urp=0 chksum=38868
Payload: length = 105
000 : 50 52 49 56 4D 53 47 20 23 21 75 72 78 2D 65 78 PRIVMSG #!urx-ex
010 : 20 3A 5B 46 54 50 5D 3A 20 46 69 6C 65 20 74 72 :[FTP]: File tr
020 : 61 6E 73 66 65 72 20 63 6F 6D 70 6C 65 74 65 20 ansfer complete
030 : 74 6F 20 49 50 3A 20 31 33 30 2E 31 32 33 2E aa to IP: 130.123.a
040 : aa 2E bb bb bb 20 28 43 3A 5C 57 49 4E 4E 54 5C a.bbb (C:\WINNT\
050 : 53 79 73 74 65 6D 33 32 5C 45 78 70 6C 6F 72 65 System32\Explore
060 : 72 2E 65 78 65 29 2E 0D 0A r.exe)...
cheers,
Jamie
--
James Riden / j.riden@massey.ac.nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
