RE: Sasser.b Worm Signature and Information

["larosa, vjay" <larosa_vjay () emc com>]

Ok,

I can now tell you the best rule so far in the snort rule set to detect this
virus is, (Trumpets please.....) NETBIOS SMB-DS DCERPC LSASS
DsRolerUpgradeDownlevelServer exploit attempt (SID: 2514). This rule most
definitely detects the sasser worm. Tomorrow should be fun!

vjl

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of larosa, vjay
Sent: Sunday, May 02, 2004 10:07 AM
To: 'Mark.Schutzmann () Omron com'
Cc: 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] Sasser.b Worm Signature and Information

I believe that the current worm will be detected by the following rule,

SID:            2514 
RULE MSG:       NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer
exploit attempt

I have actually seen the exploits for this vulnerability triggering this
rule (three different pieces of code to be exact). So I believe that worm
will also trigger this rule when it comes knocking on the door....

Good luck!

vjl

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of
Mark.Schutzmann () Omron com
Sent: Saturday, May 01, 2004 11:39 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Sasser.b Worm Signature and Information

All,

Please review the following links for Snort Signature and details of the
MS04-011 Windows exploit for LSASS:

SANS Analysis and SNORT SIG
http://www.incidents.org/diary.php?date=2004-05-01&isc=e363681119d768565232c
3a7b6ae2b7e

LURQ's Detailed Analysis
http://www.lurhq.com/sasser.html

Microsoft's Information:
http://www.microsoft.com/security/incident/sasser.asp

Best Regards,
Mark




-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users