Snort mailing list archives
Re: RE: How to Triggering Windows Exploits?
From: "Hendo" <hendo () hendohome com>
Date: Wed, 26 May 2004 08:26:15 -0500
Perhaps this line of thinking will help... The windows attacks(and all other attacks) that use TCP for transport have to establish a connection to kick off their attack. So for things like blaster and sasser, only machines offering up TCP 135(RPC) or 445(SMB) would allw a connection to be established and then the attack could the proceed. You'd pick up the attacks only on those machines offering those tcp services. If you had nothing but 'nix running with no SAMBA, its likely that you would never see a blaster attack or sasser attack on that network. You'd see the port scan on the respective ports but the machines would not be listening on those ports and would send RST packets back, causing the worm to move on to the next target. UDP. Slammer uses one packet of UDP to deliver its attack and it doesn't matter what OS you'd be running, since UDP is stateless and no response is required. I call it the drive-by exploit.. You would see these attacks regardless of OS on the wire. Same for all attacks that use stateless protocols like ICMP I hope this helps Dennis Date: Tue, 25 May 2004 15:30:28 -0700 From: ids () san rr com Subject: Re: RE: [Snort-users] How to Triggering Windows Exploits? To: Joshua Berry <jberry () PENSON COM> Cc: snort-users () lists sourceforge net Reply-to: ids () san rr com Hi Joshua, Your answer is a little bit different from what I was asking. Let me elaborate a little. Are the rules written in a way that requires a targeted computer have to respond to an attack or something of that nature for Snort to issue an alert. I have yet to see my Snort sensor alert me to any MS exploits (various network worms such as Sasser, blaster...etc) . I assumed the reason for this was because there are no Windows PC connected to the network Snort is sensing on. Another test I ran to see if Snort would issue an alert was the Cisco exploits. I do not have any Cisco devices on my network but I attempted to trigger an alert my hitting an IP on the protected network with the PERL script. No alerts. Do I have to have the appropriate Cisco deivce to trigger the alert? Just a side note I'm using the most current rules for Snort (inluding the rules to detect the Cisco exploits) for testing and information gathering. Any help on this I would greatly appreciate! Alan ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to Triggering Windows Exploits? ids (May 25)
- <Possible follow-ups>
- RE: How to Triggering Windows Exploits? Joshua Berry (May 25)
- Re: RE: How to Triggering Windows Exploits? ids (May 25)
- Re: How to Triggering Windows Exploits? James Riden (May 25)
- RE: How to Triggering Windows Exploits? Alan (May 26)
- Re: How to Triggering Windows Exploits? James Riden (May 25)
- RE: RE: How to Triggering Windows Exploits? Alan (May 26)
- RE: RE: How to Triggering Windows Exploits? Alan (May 26)
- Re: RE: How to Triggering Windows Exploits? Hendo (May 26)