Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PATCH] Replace kibuvDetection.nse with service matchline

From: Kris Katterjohn <katterjohn () gmail com>
Date: Sun, 25 May 2008 18:33:18 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brandon Enright wrote:

This malware is old enough and rare enough now that it probably doesn't
matter but we might try adding a second match line after your first one
like so:

match backdoor m|^220 [Sf.][tu.][nc.][yk.][.F][t.][p.][d.] [0.][w.][n.][s.] [j.][0.]\r?\n|i p/Generic Kibuv worm/ 
i/**BACKDOOR**/ o/Windows/



Thanks, I've added your line to the patch and committed it.  I also
changed my original matchline to use / as a delimiter since I use | in
the pattern, whoops :)


Brandon



Thanks,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSDn3Ov9K37xXYl36AQKecQ/8DylAt4p1OvsssOMkJwsA0kBTDLz3YErX
JWF7Xa+Cjcu3JVScNzFVHTePzWiOKaq+R1R7Vn062+AdmgCXA1Sh6kd7G3Sn56KK
mgCnDEMrvZptiH6H+v4vzw30IkZ0p2HNu2iaBmAfHl5YZPKje6i/Iik/hBCZwhXM
MikFXgHxXNImCLC0Z6UASM1YzNOYxG0lUS9VJXG54psHDK3nHynu5N/mxWYmumuu
nu9jND9+sksdxkbh0RF2cLsGf4mLTlWohQFV8LMHXyVLMELmij1STXpzNUBEww/o
4vqvsmHZ4pVJ0MLP6Lk8O4OSL0ea/IqOOGowmhr8jCPCewm5hq/Yi4mC8iG6LwVY
d+tjDCp7OvChGXj6eqdEgQYf3zq2hfr/eH5TLXG9lLkXciNjbQiuz786mizue2ie
F67h1cRODsTAkboLV2Z+6vMs1xoIrEeO/PeBk+uw7TBXg7n5Oj5xRgg8A+jYbSG5
rilDp6yrL6SlEqaCDhXlqDQLM4pqzQHLgC4YVzDEOU3dJ8x9pA0KpFXB3cHkMOdY
uqO9sn7mFscQVPcybFP652FRNjJxH4dgEUi2nPOAVVnyeTUqzJZl8mXD/iN87Lbm
xZ55KFOamEGcQJwVR9bdwnb9gOEkQvzIgyUmAlIy9Loq0j9BROpaxqxoZ+dvnmgH
nnSWExwcVAY=
=j5Mq
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: