Snort mailing list archives

Previous By Date Next
Previous By Thread Next

AW: Witty worm sig

From: peter.grosse-hering () ps ge com
Date: Tue, 23 Mar 2004 09:43:49 -0500
Better use the following signature:

alert udp any 4000:5000 -> any any (msg:"Witty Initial Traffic";
content:"|29202020202020696e73657274207769747479206d6573736167652068657265|"
;rev:1;)

Peter

-----Ursprüngliche Nachricht-----
Von: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]Im Auftrag von Dave
Ellingsberg
Gesendet: Montag, 22. März 2004 16:07
An: snort-users () lists sourceforge net
Betreff: [Snort-users] Witty worm sig


I have tested this on our internet access point and it gets the attack
everytime.  May need some more tweaking as more info comes out.  

alert udp $HOME_NET 4000 -> any any (msg:"EXPER Witty worm Possible
connection"; content:"witty message"; offset: 128; depth: 144; sid:
99998;)

Using the $HOME_NET limits alerts to only infected hosts on my network.
 Replacing it with any will give you data to refine the rule.  We are
seeing in excess of 500 inbound per minute.

bigfoot


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: