This is for anyone interested in seeing what alerts Blink will show when another machine on the LAN is infected with the Conficker and it is trying to spread to your machine:
1. RPC : Server Service Attack
Event ID: BLINK-BAM-10129
Severity: High
Description: A vulnerability in the Server Service (MS08-067) allows remote attackers to perform remote code execution through malicious RPC requests.
Alert: Yes
Action: Terminated
Attacker: 10.2.152.71
Attacker Port: 2886
Victim IP: 10.2.152.46
Victim Port: 445
Protocol: TCP
Log File: C:\Program Files\eEye Digital Security\Blink\Captures\Sep_09_2009\capture_Sep_09_2009_17_01_32_671_01.cap
2. RPC : Server Service RPC Attack
Event ID: BLINK-BAM-10121
Severity: High
Description: There is a remote code execution vulnerability in Server Service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.
Alert: Yes
Action: Terminated
Attacker: 10.2.152.71
Attacker Port: 2886
Victim IP: 10.2.152.46
Victim Port: 445
Protocol: TCP
Log File: C:\Program Files\eEye Digital Security\Blink\Captures\Sep_09_2009\capture_Sep_09_2009_17_01_32_671_01.cap
================================================
By default, these rules are not set to create capture packets.
I have a newly installed Windows XP Professional machine on a network that does not get updated often (because of its remote location). It is missing a lot of patches (hence why I put Blink on it). I noticed these alerts on the machine about an hour or so later after I installing Blink. At that time I enabled the packet capture feature for these two rules. After seeing the alerts come up again, I sent the capture packets in question to eEye and they confirmed that it looked like the Conficker worm's traffic.
Blink proves its worth again!