Re: ET 2001581

[Matt Olney <molney () sourcefire com>]

Well...I'm not certain the intent of the rule.  If it is looking for
boxes inside your network scanning out, then you'd want:

alert tcp $HOME_NET any -> $EXTERNAL_NET 135

If you're looking for external boxes scanning in, you would want:

alert tcp $EXTERNAL_NET any -> $HOME_NET 135

If you're looking for internal boxes scanning on 135, a better bet is
to have some darknet set aside and build a custom rule.  For example,
take an unused /24, say 10.10.10.0/24, and then assign it to the
variable DARK_NET.  Then I would use:

alert tcp $HOME_NET any -> $DARK_NET 135.

Of course, you would also want to worry about the other NETBIOS
protocols, 139 and 445 as a base.  And finally, you might want to
alert on ANY traffic destined to DARK_NET.  It is unused, and any
traffic that way is by default abnormal (probably).

But, either way, these rules are ET rules and not Sourcefire rules.  I
think Mr. Jonkman hangs around here, so he may have some things to say
about them as well.

Matt Olney
Research Engineer, VRT

On Sun, Jun 7, 2009 at 12:16 PM, James Lay<jlay () slave-tothe-box net> wrote:
> Maybe I’m just dumb, but shouldn’t something like the below be set to ignore
> localnets?
>
> Alert tcp $HOME_NET any -> any 135 (msg:"ET SCAN Behavioral Unusual Port 135
> traffic, Potential Scan or Infection"; flags: S,12; threshold: type both,
> track by_src, count 70 , seconds 60; classtype: misc-activity;
> reference:url,doc.emergingthreats.net/2001581;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Netbios;
> sid: 2001581; rev:13;)
> emerging-sid-msg.map:2001581 || ET SCAN Behavioral Unusual Port 135 traffic,
> Potential Scan or Infection ||
> url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Netbios ||
> url,doc.emergingthreats.net/2001581
>
> Saw a lot of:
>
> Jun  7 09:47:24 gateway snort[15113]: [1:2001581:13] ET SCAN Behavioral
> Unusual Port 135 traffic, Potential Scan or Infection [Classification: Misc
> activity] [Priority: 3]: {TCP} 10.0.1.10:2649 -> 10.0.16.62:135
>
> Even though var HOME_NET is [10.0.0.0/8]
> ------------------------------------------------------------------------------
> OpenSolaris 2009.06 is a cutting edge operating system for enterprises
> looking to deploy the next generation of Solaris that includes the latest
> innovations from Sun and the OpenSource community. Download a copy and
> enjoy capabilities such as Networking, Storage and Virtualization.
> Go to: http://p.sf.net/sfu/opensolaris-get
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises 
looking to deploy the next generation of Solaris that includes the latest 
innovations from Sun and the OpenSource community. Download a copy and 
enjoy capabilities such as Networking, Storage and Virtualization. 
Go to: http://p.sf.net/sfu/opensolaris-get
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users