Snort mailing list archives
SSL worm sigs
From: Brian Caswell <bmc () snort org>
Date: Sun, 15 Sep 2002 21:18:11 -0400
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPERIMENTAL WEB-MISC bad HTTP/1.1 request, potentual worm attack"; flow:to_server,established; content:"GET / HTTP/1.1|0a 0d 0a 0d|"; offset:0; depth:18; reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html; classtype:web-application-activity; sid:1881; rev:1;) As I no longer have an attack lab, I havn't been able to play with the new worm that attacks apache-ssl. However, I have written a sig that looks for the precurser that the worm sends. The worm sends "GET / HTTP/1.1\r\n\r\n" to port 80. This is not a valid HTTP 1.1 request. This will catch a bunch of lame CGI scanners, and won't catch people using the actual exploit, it should catch the worm probing your network. Please test and let me know how the sig works out. When I get back to work tommorow, I will test a bit more, then commit it to the tree for all to grab with the snapshots. -brian ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SSL worm sigs Brian Caswell (Sep 15)
- Re: SSL worm sigs Tim Bogart (Sep 16)
- Re: SSL worm sigs Matt Kettler (Sep 16)
- Re: SSL worm sigs Shane Williams (Sep 16)
- <Possible follow-ups>
- Re: SSL worm sigs Shane Williams (Sep 16)
- Re: SSL worm sigs Tim Bogart (Sep 16)