Re: [Snort-sigs] TCP sweeps

These look valuable, posting them in just a few minutes.

As for port 80, I don't think there'd be a good way to do that without a 
lot of falses, even in a slow network. For UPnP there are snort.org 
rules that'll get that pretty well I think.

Thanks James.

Matt

James Riden wrote:

> http://www.nitroguard.com/rxbot.html
>
>  RXBOT has the ability to scan for hosts that are affected by the
>  following vulnerabilities:
>
>    * MS04-011 Microsoft LSASS Buffer Overrun
>    * MS03-026 Microsoft Buffer Overrun in RPC
>    * MS03-007 Microsoft Unchecked Buffer in WebDAV
>    * MS03-001 Microsoft Unchecked Buffer in RPC
>    * MS01-059 Microsoft Unchecked Buffer in Universal Plug and Play 
>
> Off the top of my head, I think WebDAV would be 80/tcp and UPnP is
> 5001/udp ?
>
> Talking of RxBot, anyone want to check these over and maybe add them
> in to bleeding.rules? 
>
> alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE
> IRC Trojan Reporting (mssql)"; content:"PRIVMSG"; nocase;
> content:"mssql"; nocase; within:80; tag:session, 20, packets;
> classtype:trojan-activity; flow:to_server,established; sid:???????;
> rev:1;)
>
> alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE
> IRC Trojan Reporting (file transfer)"; content:"PRIVMSG"; nocase;
> content:"File transfer complete to IP"; nocase; within:80; tag:session, 20, 
> packets;
> classtype:trojan-activity; flow:to_server,established; sid:???????;
> rev:1;)
>
> Example of second (first is just a different scan type on existing
> rule).
>
> ------------------------------------------------------------------------------
> #(1 - 104014) [2004-12-14 12:33:07.596] [snort/1]  Tagged Packet
> IPv4: 130.123.xx.yy -> 129.78.ccc.dd
>      hlen=5 TOS=0 dlen=145 ID=17069 flags=0 offset=0 TTL=128 chksum=63114
> TCP:  port=1101 -> dport: 37337  flags=***AP*** seq=121578580
>      ack=3313702052 off=5 res=0 win=15815 urp=0 chksum=38868
> Payload:  length = 105
>
> 000 : 50 52 49 56 4D 53 47 20 23 21 75 72 78 2D 65 78   PRIVMSG #!urx-ex
> 010 : 20 3A 5B 46 54 50 5D 3A 20 46 69 6C 65 20 74 72    :[FTP]: File tr
> 020 : 61 6E 73 66 65 72 20 63 6F 6D 70 6C 65 74 65 20   ansfer complete 
> 030 : 74 6F 20 49 50 3A 20 31 33 30 2E 31 32 33 2E aa   to IP: 130.123.a
> 040 : aa 2E bb bb bb 20 28 43 3A 5C 57 49 4E 4E 54 5C   a.bbb (C:\WINNT\
> 050 : 53 79 73 74 65 6D 33 32 5C 45 78 70 6C 6F 72 65   System32\Explore
> 060 : 72 2E 65 78 65 29 2E 0D 0A                        r.exe)...
>
> cheers,
> Jamie
>  



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs