The purpose of this page is to make the scripts that I've written for the SMB Lure available to others who might like to use them. Credit for the SMB Lure concept goes soley to John Morris of Nortel Networks who first conceived of the idea and then shared it with me. These scripts were first written to help automate some of the work of the SMB Lure that I set up for UTD. It was only later that I thought it might be worthwhile to share them with the A/V community in an effort to help speed adoption of the SMB Lure as a useful tool in combatting network-aware worms.
I have included below a copy of my Powerpoint presentation at the 2002 EduTex conference. It should provide sufficient information to get an SMB Lure properly configured, but the assumption is that you have sufficient knowledge to get a version of Unix running with Samba installed. Many different versions have been used. I personally use OpenBSD, but any form of Linux, including Trinux will work just fine, as will the other BSDs and I'm sure Solaris, AIX and others as well. As long as the OS can run Samba, you can set up SMB Lure. You should probably visit John's page as well.
The one thing that I don't have here is the "wormbait.src" directory. You will have to create that, but once it's created, it never has to be redone. Don't forget that paths to executables may be different on the version of Unix that you use, so you will need to edit the scripts to reflect the correct paths or it won't work. All these scripts were written for OpenBSD, so they will probably have to be changed for Linux or Solaris. When setting up boxes like these, I generally tend to compile from source and install to the default directories.
Note: to get the best results from the lure, it is necessary to listen on the SMB port (445/TCP) as well as the default netbios-ns (138/UDP) and netbios-ssn (139/TCP) ports. To do this with samba 2.x versions, add the following line to your inetd.conf file: "microsoft-ds stream tcp nowait root {path to smbd} smbd". After doing this, HUP inetd to start listening on the SMB port, and your lure will pick up "modern" worms as well (ones designed to only work for Win2k and WinXP.)
Fishing-for-Worms (the Powerpoint presentation)
smb.conf (a heavily commented samba configuration file)
cleanup.sh (a script for cleaning out the wormbait directory and recreating it)
makefiles.sh (the script for populating the wormbait directory
checklogs.sh (the script for checking the logs and sending email alerts) this script is now deprecated and should not be used. Use the Perl script instead.
checklogs.bash (a bash version of the original shell script) this script is maintained by Russell Cluett of EDS. All errors are problems in them are my responsibility, however, so notify me if you have trouble with it.)
system_files (a text file with a list of "Windows" system filenames in it)
files (a text file with a list of "Windows" filenames in it)
checklogs.perl a brand new Perl script to replace checklogs.sh. This script includes a new feature that allows you to get paged if a selectable number of alerts have been sent. It *requires* the use of the "wormlist.txt" file as well, which is fed to a hash for searching. For the purists out there, I had to rename the script to .perl to keep our system from trying to run it when you tried to download it. It will run either way, but feel free to rename it .pl if you're used to that. You *will* have to right click on it now to download it. If you left click on it, it will most likely display in your browser.
wormlist.txt - this file is designed so signatures can be easily added as new worms are discovered. See the comments in the file as well as in "checklogs.perl".