Snort mailing list archives
Re: SSL worm sigs
From: Tim Bogart <tim.bogart () wcom com>
Date: Mon, 16 Sep 2002 15:53:12 -0400
If you please; This will probably sound like a stupid question but ... Are the fences around the actual signature part of the signatue, or are they delimiters used by snort? Tia, Tim B. On Sunday 15 September 2002 09:18 pm, Brian Caswell wrote:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPERIMENTAL WEB-MISC bad HTTP/1.1 request, potentual worm attack"; flow:to_server,established; content:"GET / HTTP/1.1|0a 0d 0a 0d|"; offset:0; depth:18; reference:url,securityresponse.symantec.com/avcenter/security/Content/2002. 09.13.html; classtype:web-application-activity; sid:1881; rev:1;) As I no longer have an attack lab, I havn't been able to play with the new worm that attacks apache-ssl. However, I have written a sig that looks for the precurser that the worm sends. The worm sends "GET / HTTP/1.1\r\n\r\n" to port 80. This is not a valid HTTP 1.1 request. This will catch a bunch of lame CGI scanners, and won't catch people using the actual exploit, it should catch the worm probing your network. Please test and let me know how the sig works out. When I get back to work tommorow, I will test a bit more, then commit it to the tree for all to grab with the snapshots. -brian ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SSL worm sigs Brian Caswell (Sep 15)
- Re: SSL worm sigs Tim Bogart (Sep 16)
- Re: SSL worm sigs Matt Kettler (Sep 16)
- Re: SSL worm sigs Shane Williams (Sep 16)
- <Possible follow-ups>
- Re: SSL worm sigs Shane Williams (Sep 16)
- Re: SSL worm sigs Tim Bogart (Sep 16)