[Bro] Sasser Policy?

[jean-philippe luiggi]

On Wed, 17 Oct 2007 12:01:00 -0400
"Mike Hsiao" <hsiaom26 at hotmail.com> wrote:

> Hi,
> 
> Currently, I'm studying the worm behaviors, such as Blaster,
> Sasser, ... . And the policy script blaster.bro can detects instances
> of the W32.Blaster.
> 
> Is there any policy that can be used for detecting Sasser?
> Or any other scanning policy can capture the scanning event of Sasser
> worm? I would like to understand how (or what approaches) Bro to
> detect Sasser.
> 
> Any help will be appreciated, thanks.

Hello Mike,


The way used by Sasser (version "A") is different from the one used by
Blaster. 
First it tries to connect using port tcp/445 instead of tcp/135 then
it'll donwload a binary using FTP (port tcp/5554) and then at least 128
threads are launched.

Seeing "blaster.bro", it should not be too difficult to
adapt it for Sasser (testing for several connections to port 445/tcp)

So an idea, copy blaster.bro to sasser.bro, then modify the
policy new policy :

====
const W32S_port = 445/tcp;

const W32S_MIN_ATTEMPTS = 128 &redef;

redef enum Notice += {
        W32S_SourceLocal,
        W32S_SourceRemote,
};

event connection_attempt(c: connection)
 {
  if ( c$id$resp_p != W32S_port )
       return;

  local ip = c$id$orig_h;
  if ( ip in w32s_reported )
       return;

  if ( ip in w32s_scanned )
   {
     add (w32s_scanned[ip])[c$id$resp_h];
     if ( length(w32s_scanned[ip]) == W32S_MIN_ATTEMPTS )
      {
       if ( is_local_addr(ip) )
          NOTICE([$note=W32S_SourceLocal, $conn=c,
          $msg=fmt("W32.Sasser local source: %s", ip)]);
       else NOTICE([$note=W32S_SourceRemote,
          $conn=c, $msg=fmt("W32.Sasser remote source: %s",ip)]);
          add w32s_reported[ip];
      }
   }
  else
     w32s_scanned[ip] = set(ip);
====

Hope this will you give some help (an improvement would be to detect
connections to port tcp/5554).


With regards,

Jean-philippe.