Snort mailing list archives
RE: Sasser.b Worm Signature and Information
From: "larosa, vjay" <larosa_vjay () emc com>
Date: Mon, 3 May 2004 00:17:31 -0400
Ok, I can now tell you the best rule so far in the snort rule set to detect this virus is, (Trumpets please.....) NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt (SID: 2514). This rule most definitely detects the sasser worm. Tomorrow should be fun! vjl -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of larosa, vjay Sent: Sunday, May 02, 2004 10:07 AM To: 'Mark.Schutzmann () Omron com' Cc: 'snort-users () lists sourceforge net' Subject: RE: [Snort-users] Sasser.b Worm Signature and Information I believe that the current worm will be detected by the following rule, SID: 2514 RULE MSG: NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt I have actually seen the exploits for this vulnerability triggering this rule (three different pieces of code to be exact). So I believe that worm will also trigger this rule when it comes knocking on the door.... Good luck! vjl -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Mark.Schutzmann () Omron com Sent: Saturday, May 01, 2004 11:39 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Sasser.b Worm Signature and Information All, Please review the following links for Snort Signature and details of the MS04-011 Windows exploit for LSASS: SANS Analysis and SNORT SIG http://www.incidents.org/diary.php?date=2004-05-01&isc=e363681119d768565232c 3a7b6ae2b7e LURQ's Detailed Analysis http://www.lurhq.com/sasser.html Microsoft's Information: http://www.microsoft.com/security/incident/sasser.asp Best Regards, Mark ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Sasser.b Worm Signature and Information Mark . Schutzmann (May 01)
- <Possible follow-ups>
- RE: Sasser.b Worm Signature and Information larosa, vjay (May 02)
- RE: Sasser.b Worm Signature and Information larosa, vjay (May 02)