[Bro] Sasser Policy?

jean-philippe luiggi jp.luiggi at free.fr
Thu Oct 18 04:57:52 PDT 2007

On Wed, 17 Oct 2007 12:01:00 -0400
"Mike Hsiao" <hsiaom26 at hotmail.com> wrote:

> Hi,
> Currently, I'm studying the worm behaviors, such as Blaster,
> Sasser, ... . And the policy script blaster.bro can detects instances
> of the W32.Blaster.
> Is there any policy that can be used for detecting Sasser?
> Or any other scanning policy can capture the scanning event of Sasser
> worm? I would like to understand how (or what approaches) Bro to
> detect Sasser.
> Any help will be appreciated, thanks.

Hello Mike,

The way used by Sasser (version "A") is different from the one used by
First it tries to connect using port tcp/445 instead of tcp/135 then
it'll donwload a binary using FTP (port tcp/5554) and then at least 128
threads are launched.

Seeing "blaster.bro", it should not be too difficult to
adapt it for Sasser (testing for several connections to port 445/tcp)

So an idea, copy blaster.bro to sasser.bro, then modify the
policy new policy :

const W32S_port = 445/tcp;

const W32S_MIN_ATTEMPTS = 128 &redef;

redef enum Notice += {

event connection_attempt(c: connection)
  if ( c$id$resp_p != W32S_port )

  local ip = c$id$orig_h;
  if ( ip in w32s_reported )

  if ( ip in w32s_scanned )
     add (w32s_scanned[ip])[c$id$resp_h];
     if ( length(w32s_scanned[ip]) == W32S_MIN_ATTEMPTS )
       if ( is_local_addr(ip) )
          NOTICE([$note=W32S_SourceLocal, $conn=c,
          $msg=fmt("W32.Sasser local source: %s", ip)]);
       else NOTICE([$note=W32S_SourceRemote,
          $conn=c, $msg=fmt("W32.Sasser remote source: %s",ip)]);
          add w32s_reported[ip];
     w32s_scanned[ip] = set(ip);

Hope this will you give some help (an improvement would be to detect
connections to port tcp/5554).

With regards,


More information about the Bro mailing list