Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-sigs] nimda / code red signatures

From: Phillip G Deneault <deneault () WPI EDU>
Date: Sun, 9 Feb 2003 11:16:44 -0500 (EST)
I have a list of sigs I use to ignore nimbda attempts.  The problem is
that they are also indicative of other vulerability scanners and such
which you may or may not be interested in seeing.  IMHO, the benefits have
far outweighed the costs since I can now _use_ the IIS "cmd.exe" and IIS
"/scripts/" sigs and not have thousands of false-positives for Nimba
trying to infect non-vulerable hosts.

These sigs pass on inbound traffic. I still monitor the outbound traffic
looking for these sigs so that I can find infected hosts and users from my
netblock who are using the same content for malicious intent.

To make these catch Nimba worms, just change 'pass' to 'alert', put in
SID's above 1000000, and drop these in your local.rules file.

Hope this helps
Phil

#NIMBA script RULES
pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
1"; content:"GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
2"; content:"GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
3"; content:"GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
4"; content:"GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
5"; content:"GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
6"; content:"GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
7"; content:"GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
8"; content:"GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
9"; content:"GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
10"; content:"GET
/scripts/root.exe?/c+dir"; classtype:misc-activity; rev:1;)

#NIMBA cmd.exe RULES

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
11"; content:"GET
/c/winnt/system32/cmd.exe?/c+dir"; classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
12"; content:"GET
/d/winnt/system32/cmd.exe?/c+dir"; classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
13"; content:"GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
14"; content:"GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
15"; content:"GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

On Thu, 6 Feb 2003, Jeff Oliveto wrote:


Does anyone have a "definitive" list of vulnerabilities / signatures by
SID that are potential indications of code red or nimda worm scan's?


Jeff Oliveto

VP Operations, Clean Communications


(e) joliveto () CleanCommunications com








-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Phil Deneault     "We work in the dark, We do what we can,
deneault () wpi edu   We give what we have. Our doubt is our passion,
WPI NetOps         and our passion is our task. The rest is the
InfoSec            maddness of art." - Henry James
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: