ping scan triggers System Rule: Worm propagation attempts?

lewko98 · ‎08-21-2008

Hello all,

I am having some trouble understanding the built in rules for Mars. When doing a ping scan on my network the rule for Worm Propagation fires, can anybody explain why? the rule and example info is below:

*********************************************************************************************************************************************

Rule Name: System Rule: Worm Propagation - Attempt Status: Active

Action: None Time Range: 0m:10s

Description: This correlation rule detects worm propagation via means such as SMTP, TFTP, and network shares.

Offset Open ( Source IP Destination IP Service Name Event Device Reported User Keyword Severity Count ) Close Operation

1 ( ( ( ( ANY SAME, ANY Penetrate/ViewFiles/Sensitive, ANY None ANY ANY 1 FOLLOWED-BY

$TARGET01, Probe/HostInfo/All

ANY

2 ANY SAME, ANY Propagate/Worm, ANY None ANY ANY 1 ) OR

$TARGET01, Propagate/CopyFiles

ANY

3 SAME, DISTINCT, Recent Backdoor, ANY ANY None ANY ANY 25 ) OR

$TARGET02, ANY SAME_ANY_DEST_PORT,

ANY netbios-ns (src port: ANY, dst port: 137, proto: TCP),

netbios-ns (src port: ANY, dst port: 137, proto: UDP),

netbios-ssn (src port: ANY, dst port: 139, proto: TCP),

netbios-ssn (src port: ANY, dst port: 139, proto: UDP),

Microsoft-ds (src port: ANY, dst port: 445, proto: UDP),

Microsoft-ds (src port: ANY, dst port: 445, proto: TCP),

MS_DCE_endpoint_resolution (src port: ANY, dst port: 135, proto: UDP),

MS_DCE_endpoint_resolution (src port: ANY, dst port: 135, proto: TCP),

Dameware (src port: ANY, dst port: 6129, proto: TCP),

tftp (src port: ANY, dst port: 69, proto: UDP),

tftp (src port: ANY, dst port: 69, proto: TCP)

4 ANY SAME, ANY Propagate/CopyFiles, ANY None ANY ANY 1 ) OR

$TARGET01, Propagate/Worm

ANY

5 SAME, ANY icmp (code: ANY, type: ANY, proto: ICMP) ANY ANY None ANY ANY 100 ) OR

$TARGET02,

ANY

6 SAME, ANY ANY Penetrate/GuessPassword/NetworkShares, ANY None ANY ANY 5

$TARGET02, Penetrate/GuessPassword/WinDomain,

ANY Penetrate/GuessPassword/System/Root,

Penetrate/GuessPassword/System/Non-root

*********************************************************************************************************************************************

Incident ID:44

Offset Session / Incident ID Event Type Source IP/Port Destination IP/Port Protocol Time Reporting Device Reported User Path / Mitigate False Positive

5 Deny packet due to security policy 111.111.111.111 0 Groups: 32, Total: 50

5 44 Deny packet due to security policy 111.111.111.111 0 222.222.222.222 0 ICMP Total: 2

5 44 Deny packet due to security policy 111.111.111.111 0 222.222.222.222 0 ICMP Today Firewall False Positive

5 44 Deny packet due to security policy 111.111.111.111 0 222.222.222.222 0 ICMP Today Firewall False

Farrukh Haroon · ‎08-21-2008

Yes this is a regular feature of MARS :)

This and the P2P event is common for almost everybody I think. You have to do false positive tuning for this by creating a drop rule in MARS.

Regards

Farrukh

lewko98 · ‎08-21-2008

Thanks I will look into fine tuning, but it still dosent feel right.

When I tried another scan on my network (a FIN and FIN/ACK) I got an alert for System Rule: Network Activity: P2P File Sharing - Active.

I just dont see how tcp scan can alert this. The only factor that I can see causing this would be the event group, but I cant figure out the details of the event group in the rule.

Does this make sense? Also when you say fine tune the drop rules, do you mean create your own custom rules? Sorry but I am new to mars, and havent yet fully understand what fine tuning is other then duplicating the rule and trying to figure it out yourself.

Farrukh Haroon · ‎08-21-2008

Once you get the incident you will find a 'False Positive Tuning' button on the various lines (events/sessions) contained in the incident. This button is at the extreme right of the line. You can just click that button to launch a step by step wizard for tuning. Alternatively you can create manual rules by going to the 'Drop Rules' Tab in MARS.

You can also 'fine-tune' the counts etc. of the existing rules in MARS, but I personally don't like to change the built-in rules. Other people look at this differently.

Regards

Farrukh

lewko98 · ‎08-25-2008

Dosent seem right that the built in rules are so broken. I thought it was me that was doing something wrong. Thanks for your time

ben.gordon · ‎09-02-2008

I also have those rules happening alot. I have not tuned them out yet because, like you, I am suspicious of the activity. I cannot seem to see any trends. My thoughts on the rule summary would be that a virus or p2p software needs to confirm connectivity to a host or activily look for more hosts through the use of icmp. If i were to write such a program, that is the logic i would use.

lewko98 · ‎09-10-2008

In most of my cases (if not all) it is not p2p software but a scan against my network. There is no discrimination if the rule is alerting from traffic coming from an internet machine to my network, or my machine going out to the internet, so the rule is giving a false warning when stating p2p traffic