[Bro] Sasser Policy?

Ruoming Pang rpang at cs.princeton.edu
Thu Oct 18 07:10:07 PDT 2007

On 10/17/07, Mike Hsiao <hsiaom26 at hotmail.com> wrote:
> Hi,
> Currently, I'm studying the worm behaviors, such as Blaster, Sasser, ... .
> And the policy script blaster.bro can detects instances of the W32.Blaster.
> Is there any policy that can be used for detecting Sasser?
> Or any other scanning policy can capture the scanning event of Sasser worm?
> I would like to understand how (or what approaches) Bro to detect Sasser.

Hi Mike,

Do you want to detect the particular malware Sasser or, more
generally, the class of malware that exploits the same vulnerability
as Sasser does?

For latter, Bro has a DCE/RPC parser that exposes the interface and
function of each RPC request and the one used by Sasser can be easily
identified. Coupled with some length threshold it will make a pretty
precise and robust Sasser vulnerability detector.


> Any help will be appreciated, thanks.
> Regards,
> Mike
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list