Snort mailing list archives
AW: Witty worm sig
From: peter.grosse-hering () ps ge com
Date: Tue, 23 Mar 2004 09:43:49 -0500
Better use the following signature: alert udp any 4000:5000 -> any any (msg:"Witty Initial Traffic"; content:"|29202020202020696e73657274207769747479206d6573736167652068657265|" ;rev:1;) Peter -----Ursprüngliche Nachricht----- Von: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]Im Auftrag von Dave Ellingsberg Gesendet: Montag, 22. März 2004 16:07 An: snort-users () lists sourceforge net Betreff: [Snort-users] Witty worm sig I have tested this on our internet access point and it gets the attack everytime. May need some more tweaking as more info comes out. alert udp $HOME_NET 4000 -> any any (msg:"EXPER Witty worm Possible connection"; content:"witty message"; offset: 128; depth: 144; sid: 99998;) Using the $HOME_NET limits alerts to only infected hosts on my network. Replacing it with any will give you data to refine the rule. We are seeing in excess of 500 inbound per minute. bigfoot ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- AW: Witty worm sig peter . grosse-hering (Mar 23)