SSL worm sigs

[Brian Caswell <bmc () snort org>]

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPERIMENTAL WEB-MISC bad HTTP/1.1 request, potentual 
worm attack"; flow:to_server,established; content:"GET / HTTP/1.1|0a 0d 0a 0d|";  offset:0; depth:18; 
reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html; 
classtype:web-application-activity; sid:1881; rev:1;)

As I no longer have an attack lab, I havn't been able to play with the new 
worm that attacks apache-ssl.  However, I have written a sig that looks for
the precurser that the worm sends.   

The worm sends "GET / HTTP/1.1\r\n\r\n" to port 80.  This is not a valid 
HTTP 1.1 request.  This will catch a bunch of lame CGI scanners, and won't 
catch people using the actual exploit, it should catch the worm probing 
your network.

Please test and let me know how the sig works out.  When I get back to work 
tommorow, I will test a bit more, then commit it to the tree for all to 
grab with the snapshots.

-brian


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users