Snort mailing list archives
Re: [Snort-sigs] nimda / code red signatures
From: Phillip G Deneault <deneault () WPI EDU>
Date: Sun, 9 Feb 2003 11:16:44 -0500 (EST)
I have a list of sigs I use to ignore nimbda attempts. The problem is that they are also indicative of other vulerability scanners and such which you may or may not be interested in seeing. IMHO, the benefits have far outweighed the costs since I can now _use_ the IIS "cmd.exe" and IIS "/scripts/" sigs and not have thousands of false-positives for Nimba trying to infect non-vulerable hosts. These sigs pass on inbound traffic. I still monitor the outbound traffic looking for these sigs so that I can find infected hosts and users from my netblock who are using the same content for malicious intent. To make these catch Nimba worms, just change 'pass' to 'alert', put in SID's above 1000000, and drop these in your local.rules file. Hope this helps Phil #NIMBA script RULES pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba virus vector 1"; content:"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir"; classtype:misc-activity; rev:1;) pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba virus vector 2"; content:"GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir"; classtype:misc-activity; rev:1;) pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba virus vector 3"; content:"GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir"; classtype:misc-activity; rev:1;) pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba virus vector 4"; content:"GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir"; classtype:misc-activity; rev:1;) pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba virus vector 5"; content:"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir"; classtype:misc-activity; rev:1;) pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba virus vector 6"; content:"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir"; classtype:misc-activity; rev:1;) pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba virus vector 7"; content:"GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir"; classtype:misc-activity; rev:1;) pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba virus vector 8"; content:"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir"; classtype:misc-activity; rev:1;) pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba virus vector 9"; content:"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir"; classtype:misc-activity; rev:1;) pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba virus vector 10"; content:"GET /scripts/root.exe?/c+dir"; classtype:misc-activity; rev:1;) #NIMBA cmd.exe RULES pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba virus vector 11"; content:"GET /c/winnt/system32/cmd.exe?/c+dir"; classtype:misc-activity; rev:1;) pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba virus vector 12"; content:"GET /d/winnt/system32/cmd.exe?/c+dir"; classtype:misc-activity; rev:1;) pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba virus vector 13"; content:"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir"; classtype:misc-activity; rev:1;) pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba virus vector 14"; content:"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir"; classtype:misc-activity; rev:1;) pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba virus vector 15"; content:"GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir"; classtype:misc-activity; rev:1;) On Thu, 6 Feb 2003, Jeff Oliveto wrote:
Does anyone have a "definitive" list of vulnerabilities / signatures by SID that are potential indications of code red or nimda worm scan's? Jeff Oliveto VP Operations, Clean Communications (e) joliveto () CleanCommunications com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Phil Deneault "We work in the dark, We do what we can, deneault () wpi edu We give what we have. Our doubt is our passion, WPI NetOps and our passion is our task. The rest is the InfoSec maddness of art." - Henry James -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- nimda / code red signatures Jeff Oliveto (Feb 07)
- Re: [Snort-sigs] nimda / code red signatures Phillip G Deneault (Feb 10)