Re: ET 2001581

[Matt Jonkman <jonkman () jonkmans com>]

The intent originally was to catch any scanning, back in the day when
the bots would just start sequentially at some class A. Might have been
internal, might have been external.

But overall, the threshold of 70 *new* connections in 60 seconds is what
keeps it accurate. Nothing Windows does works that quickly! :)

I have seen false positives on servers pushing patches if they're
scanning a net looking for boxes to hit, and scripted net discovery. But
these are also within the intent of the rule.

So overall, the goal is to see internal and outbound port 135 scanning.
Likely culprits are infections and internal scanning (which if the
scanning isn't authorized it needs attention).

That help clear things up?

As for the darknet suggestion Matt, I wholeheartedly agree! But that's a
local thing of course.

Does anyone see a change we should make to the rule under the original
intent?

Matt

Matt Olney wrote:
> Well...I'm not certain the intent of the rule.  If it is looking for
> boxes inside your network scanning out, then you'd want:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 135
>
> If you're looking for external boxes scanning in, you would want:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 135
>
> If you're looking for internal boxes scanning on 135, a better bet is
> to have some darknet set aside and build a custom rule.  For example,
> take an unused /24, say 10.10.10.0/24, and then assign it to the
> variable DARK_NET.  Then I would use:
>
> alert tcp $HOME_NET any -> $DARK_NET 135.
>
> Of course, you would also want to worry about the other NETBIOS
> protocols, 139 and 445 as a base.  And finally, you might want to
> alert on ANY traffic destined to DARK_NET.  It is unused, and any
> traffic that way is by default abnormal (probably).
>
> But, either way, these rules are ET rules and not Sourcefire rules.  I
> think Mr. Jonkman hangs around here, so he may have some things to say
> about them as well.
>
> Matt Olney
> Research Engineer, VRT
>
> On Sun, Jun 7, 2009 at 12:16 PM, James Lay<jlay () slave-tothe-box net> wrote:
> > Maybe I’m just dumb, but shouldn’t something like the below be set to ignore
> > localnets?
> >
> > Alert tcp $HOME_NET any -> any 135 (msg:"ET SCAN Behavioral Unusual Port 135
> > traffic, Potential Scan or Infection"; flags: S,12; threshold: type both,
> > track by_src, count 70 , seconds 60; classtype: misc-activity;
> > reference:url,doc.emergingthreats.net/2001581;
> > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Netbios;
> > sid: 2001581; rev:13;)
> > emerging-sid-msg.map:2001581 || ET SCAN Behavioral Unusual Port 135 traffic,
> > Potential Scan or Infection ||
> > url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Netbios ||
> > url,doc.emergingthreats.net/2001581
> >
> > Saw a lot of:
> >
> > Jun  7 09:47:24 gateway snort[15113]: [1:2001581:13] ET SCAN Behavioral
> > Unusual Port 135 traffic, Potential Scan or Infection [Classification: Misc
> > activity] [Priority: 3]: {TCP} 10.0.1.10:2649 -> 10.0.16.62:135
> >
> > Even though var HOME_NET is [10.0.0.0/8]
> > ------------------------------------------------------------------------------
> > OpenSolaris 2009.06 is a cutting edge operating system for enterprises
> > looking to deploy the next generation of Solaris that includes the latest
> > innovations from Sun and the OpenSource community. Download a copy and
> > enjoy capabilities such as Networking, Storage and Virtualization.
> > Go to: http://p.sf.net/sfu/opensolaris-get
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ------------------------------------------------------------------------------
> OpenSolaris 2009.06 is a cutting edge operating system for enterprises 
> looking to deploy the next generation of Solaris that includes the latest 
> innovations from Sun and the OpenSource community. Download a copy and 
> enjoy capabilities such as Networking, Storage and Virtualization. 
> Go to: http://p.sf.net/sfu/opensolaris-get
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises 
looking to deploy the next generation of Solaris that includes the latest 
innovations from Sun and the OpenSource community. Download a copy and 
enjoy capabilities such as Networking, Storage and Virtualization. 
Go to: http://p.sf.net/sfu/opensolaris-get
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users