Re: nimda rule interpretation

[Joe McAlerney <joey () SiliconDefense com>]

Hi John,

You really need to look at the packet payload to determine if it's a
false positive.  Snort doesn't log it by default, you need to use -d. 
> From there, compare the payload to an actual packet capture of the
worm.  I imagine that url in the rule will have one.

Hope this helps,

-Joe M.

-- 
Joe McAlerney
Software Developer / Security Consultant
joey () SiliconDefense com
Silicon Defense: IDS Solutions -=- http://www.silicondefense.com/

> John Rodley wrote:
>
> I'm a new snort user managing a small corporate network.  I need
> confirmation that my interpretation of this snort alert is correct.
>
> syslog entry:
> 12-05-2001 09:00:25 Auth.Alert a.a.a.a    snort[588]: [1:1294:2]
> NETBIOS nimda .nws [Classification: Potentially Bad Traffic]
> [Priority: 2]: {TCP} a.b.c.d:4003 -> w.x.y.z:139
>
> snort log entry:
> [**] NETBIOS nimda .nws [**]
> 12/05-08:28:37.632972 a.b.c.d:4003 -> w.x.y.z:139
> TCP TTL:128 TOS:0x0 ID:48598 IpLen:20 DgmLen:636 DF
> ***AP*** Seq: 0xDF858CCB  Ack: 0x48C607FC  Win: 0x40A7  TcpLen: 20
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> netbios.rule being triggered
> alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda
> .nws"; content:"|00|N|00|W|00|S"; flags:A+; classtype:bad-unknown;
> reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1294;
> rev:2;)
> My interpretation of this is that a.b.c.d transmitted the string "NWS"
> over a connection from source port 4003 to destination port 139 on
> w.x.y.z.  Would that be correct?
>
> Suspecting this is a false positive since both machines scan clean.
>
> John Rodley

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users