Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Warning: flowbits keys (not) set/checked (Trojan Bot/Sasser

from [Ellen L Mitchell] Network Security [Permanent Link]
Subject: [Snort-sigs] Warning: flowbits keys (not) set/checked (Trojan Bot/Sasser rules)
Date: Wed, 12 Oct 2005 20:09:04 -0500 

Howdy,

I'm missing something... I've been reviewing my rule set and I have a
couple questions that google couldn't solve.

The following Trojan Bot rules (from bleeding-virus) use "flowbits:
set,trojan;" but I haven't been able to find any rule that uses
"flowbits: isset,trojan".  Am I missing rules, or missing information
about how the rules are supposed to work?  I checked bleeding-all just
in case they weren't included in the -virus set.

Trojan Bot rules:
  2002029 Rev 5
  2002030 Rev 7
  2002031 Rev 9
  2002032 Rev 4
  2002033 Rev 7
  
  2002363 Rev 6

  2002384 Rev 5
  2002385 Rev 6
  2002386 Rev 6


Similarly, the Sasser/Korgo worm rule (SID 2001286 Rev 10) uses
"flowbits: isset,netbios.lsass.bind.attempt;" but I can't find a rule 
that sets "netbios.lsass.bind.attempt".

These warnings were found when I used "snort -T".  Partial output
from that is below.

Thanks for any enlightenment.


Output from "snort -T":

[ snip ] 

Warning: flowbits key 'netbios.lsass.bind.attempt' is checked but not ever set.
Warning: flowbits key 'trojan' is set but not ever checked.

[ snip ]

-------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->drop->alert->pass->log
Log directory = /var/log/snort

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.4.2 (Build 25)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2005 Sourcefire Inc., et al.
 NOTE: Snort's default output has changed in version 2.4.1!
       The default logging mode is now PCAP, use "-K ascii" to activate
       the old default logging mode.


Snort sucessfully loaded all rules and checked all rule chains!
Final Flow Statistics
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1)
Overhead blocks: 1 Could Hold: (0)
IPV4 count: 0 frees: 0
low_time: 0, high_time: 0, diff: 0h:00:00s
    finds: 0 reversed: 0(%0.000000)
    find_sucess: 0 find_fail: 0
percent_success: (%0.000000) new_flows: 0
Snort exiting

Ellen
-- 
Ellen Mitchell
Network Group
Texas A&M University


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] New rule for detect "ICMP DoS HOD brute force", rmkml
Next by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Previous by Thread:  [Snort-sigs] New rules (2) for detect Hydra brute force auth, rmkml
Next by Thread:  Re: [Snort-sigs] Warning: flowbits keys (not) set/checked (Trojan Bot/Sasser rules), Frank Knobbe
Indexes:  [Date] [Thread] [Top] [All Lists]