Re: Snort blah11 signature

[cedric () THINKERS ORG (Cedric Puddy)]

On Wed, 5 Jul 2000, Owen Creger wrote:

> My exchange server is setting off the blah11 trojan signature from
> whitehats.com
> 1 source, 13 destinations...
>
>
> IDS109/trojan-active-blah11
> 06/30-14:05:30.263961 172.16.1.17:1042 -> 172.16.4.235:1438
> TCP TTL:126 TOS:0x0 ID:19422 DF
> **S***A* Seq: 0x2C787B4F Ack: 0x2C31B Win: 0x2238
> TCP Options => MSS: 1460
> Is this normal traffic from exchange, or should I be concerned?
> Anyone know what port 1042 is used for in Exchange?

Depends what services exchange is providing, and how you
have it configured.  What I am specificly thinking of
is the Microsoft Exchange Mailbox Access Protocol (I
don't actually know what it's called, but it's the
stuff that passes between the server and exchange client).
That protocol works by having the client contact
the server on port 135 (RPC).  Via RPC, the server
assigns two "random" unprivlegded ports to the client
(one for the IS, one for the DS).  The client then
connects back on those ports.

You can assign fixed ports to the IS and DS connections
by setting registry entries.  (This is known to be
the way exchange 5.x works.  I dunno about 2000 or
4.x, though I suspect that it would remain applicable.)

I have no idea if normal exchange traffic might look
like blah11.  Check and see if you have another
unpriv port open to the same destination, for starters,
because exchange client traffic should always hold
a pair of ports open.

-Cedric

-
|  CCj/ClearLine - Unix/NT Administration and TCP/IP Network Services
|  118 Louisa Street, Kitchener, Ontario, N2H 5M3, 519-741-2157
\____________________________________________________________________
   Cedric Puddy, IS Director            cedric () thinkers org
     PGP Key Available at:              http://www.thinkers.org/cedric