Snort mailing list archives
W32.Bugbear.B@mm signature
From: CGhercoias () TWEC COM
Date: Fri, 6 Jun 2003 10:44:55 -0400
Hello all, In case anyone is interested I created the definitions for W32.Bugbear.B@mm. I took the payload data from Symantec http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm htm l and it seems that they are good. I might be wrong and please let me know about your experience with them. <<<<<<<<<<<<<<<<<<<<<<<<<<<<DATA SKIPS>>>>>>>>>>>>>>>>>>>>>>>>>> alert tcp any any -> any 25 ( sid: 1000005; rev: 3; msg: "BugBear B SMTP Worm Propagation"; flow: to_server,established; content: "CwEGAAAgAQAAEAAAAOAGACABCAAA8AYAABAIAAAAQAAAEAAAAAIAAAQAAAAA"; reference: url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html; classtype: trojan-activity;) alert tcp any any -> any 139 ( sid: 1000006; rev: 4; msg: "BugBear B Network Worm Propagation"; flow: to_server,established; content: "555058300000000000E0060000100000"; content: "0B010600002001000010000000E006002001080000F00600001008000000400000100000000 2"; reference: url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html; classtype: trojan-activity;) alert tcp any any -> any 1080 ( sid: 1000007; rev: 1; msg: "BugBear B Backdoor Attack"; flow: to_server,established; content: "|3b|p|3b|"; depth: 50; reference: url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html; classtype: trojan-activity;) alert tcp any any -> any 1080 ( sid: 1000008; rev: 1; msg: "BugBear B Backdoor Attack"; flow: to_server,established; content: "|3b|e|3b|"; depth: 50; reference: url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html; classtype: trojan-activity;) alert tcp any any -> any 1080 ( sid: 1000009; rev: 1; msg: "BugBear B Backdoor Attack"; flow: to_server,established; content: "|3b|f|3b|"; depth: 50; reference: url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html; classtype: trojan-activity;) alert tcp any any -> any 1080 ( sid: 1000010; rev: 1; msg: "BugBear B Backdoor Attack"; flow: to_server,established; content: "|3b|s|3b|"; depth: 50; reference: url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html; classtype: trojan-activity;) alert tcp any any -> any 1080 ( sid: 1000011; rev: 1; msg: "BugBear B Backdoor Attack"; flow: to_server,established; content: "|3b|c|3b|"; depth: 50; reference: url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html; classtype: trojan-activity;) alert tcp any any -> any 1080 ( sid: 1000012; rev: 1; msg: "BugBear B Backdoor Attack"; flow: to_server,established; content: "|3b|o|3b|"; depth: 50; reference: url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html; classtype: trojan-activity;) alert tcp any any -> any 1080 ( sid: 1000013; rev: 1; msg: "BugBear B Backdoor Attack"; flow: to_server,established; content: "|3b|k|3b|"; depth: 50; reference: url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html; classtype: trojan-activity;) alert tcp any any -> any 1080 ( sid: 1000014; rev: 1; msg: "BugBear B Backdoor Attack"; flow: to_server,established; content: "|3b|d|3b|"; depth: 50; reference: url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html; classtype: trojan-activity;) alert tcp any any -> any 1080 ( sid: 1000015; rev: 1; msg: "BugBear B Backdoor Attack"; flow: to_server,established; content: "|3b|r|3b|"; depth: 50; reference: url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html; classtype: trojan-activity;) alert tcp any any -> any 1080 ( sid: 1000016; rev: 1; msg: "BugBear B Backdoor Attack"; flow: to_server,established; content: "|3b|h|3b|"; depth: 50; reference: url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html; classtype: trojan-activity;) alert tcp any any -> any 1080 ( sid: 1000017; rev: 1; msg: "BugBear B Backdoor Attack"; flow: to_server,established; content: "|3b|i|3b|"; depth: 50; reference: url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html; classtype: trojan-activity;) alert tcp any any -> any 1080 ( sid: 1000018; rev: 1; msg: "BugBear B Backdoor Attack"; flow: to_server,established; content: "|3b|z|3b|"; depth: 50; reference: url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html; classtype: trojan-activity;) alert tcp any any -> any 1080 ( sid: 1000019; rev: 1; msg: "BugBear B Backdoor Attack"; flow: to_server,established; content: "|3b|y|3b|"; depth: 50; reference: url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html; classtype: trojan-activity;) alert tcp any any -> any 1080 ( sid: 1000020; rev: 1; msg: "BugBear B Backdoor Attack"; flow: to_server,established; content: "|3b|t|3b|"; depth: 50; reference: url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b () mm html; classtype: trojan-activity;) Thank you, ___________________________ Catalin Ghercoias Web/Security System Administrator website: http://www.fye.com The content of this communication is classified as Transworld Entertainment Confidential and Proprietary Information.The content of this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this communication then delete it from your system. We appreciate your assistance in preserving the confidentiality of our correspondence. Thank you. ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- W32.Bugbear.B@mm signature CGhercoias (Jun 06)