Snort mailing list archives
Re: Snort-users digest, Vol 1 #4056 - 9 msgs
From: SN ORT <snort_on_acid () yahoo com>
Date: Thu, 18 Mar 2004 12:29:04 -0800 (PST)
The WEBDAV is a worm, but I've never seen the NOOP alerts associated with the webdav stuff. I have Nachi.B packet captures here: Port 80 packets are only sub-100 bytes long, same as the 445 packets, and both have the same payload such as: :01:14.978689 00:02:55:58:cc:78 > 00:0c:f1:90:23:98, ethertype IPv4 (0x0800), length 60: IP (tos 0x0, ttl 238, id 20552, offset 0, flags [DF], length: 40) 134.252.70.133.80 > 192.168.13.91.3230: . [tcp sum ok] ack 0 win 0 0x0000: 4500 0028 5048 4000 ee06 b596 86fc 4685 E..(PH@.......F. 0x0010: ac14 0d5b 0050 0c9e 4d5e 1001 2c3e 0e4e ...[.P..M^..,>.N 0x0020: 5010 0000 840a 0000 0000 0000 0000 P............. I don't think your problem is related to the Nachi/Welchia worm. Cheese! Marc ------------------Original message-------------------- Message: 6 Subject: Re: [Snort-users] RFC: SHELLCODE and WEDAV alerts From: Frank Knobbe <frank () knobbe us> To: Michael Shirk <shirkdog_linux () hotmail com> Cc: snort-users () lists sourceforge net Date: Thu, 18 Mar 2004 10:52:22 -0600 --=-l1nfTTZ78OlR63t+m0+G Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, 2004-03-18 at 09:56, Michael Shirk wrote:
Then I get one WEBDAV alert with a payload of 1460: WEB-MISC WebDAV searchaccess 3/15/2004 17:30:10 =20 Which contains the following String: =20 SEARCH / =20 Followed by 90 or . characters. I have not seen any
viruses of this natu= re=20
and it is either a terrible false positive or some
kind of script. I have= =20
seen different sources with the same exact pattern.
I am going to right a= =20
rule for this but wondering if anyone has seen the
things in THEIR LOGS It's a Nachi variant (B?) that is trying to enter web servers that have the WebDAV component enabled. I have some web servers on monitored networks that just get pummeled with those attacks (about 6000/day) while other web servers do not get hit at all. There was a discussion in SF-Incidents and DShield about this.=20 It comes down to the virus checking for the presence of WebDAV, and if found, it launching the attack. If you can turn WebDAV off on your web server, do so and the volume of alerts should disappear. Regards, Frank ------------------------------------------------------ __________________________________ Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam http://mail.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users digest, Vol 1 #4056 - 9 msgs SN ORT (Mar 18)