Snort mailing list archives
Re: Please post a good Nachi.B Signature
From: James Riden <j.riden () massey ac nz>
Date: Sun, 22 Feb 2004 13:45:25 +1300
Dan <sophie_bo () earthlink net> writes:
* I had already checked the snort sigs mailing list archives to no avail. * I help secure a 100,000 + node network. The sig for the original Nachi virus worked great.
Ouch. We're only at 5,000+ here, and I need all the help I can get to stop viruses. Obviously we use firewall and AV. Here's some info from Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.b.worm.html Manhunt appears to use the same signature format as snort, so you might be able to track down some stuff from this: "Symantec ManHunt * RPC DCOM This vector is detected by the custom signature, MS RPC DCOM HEAP Overflow, that was released in Security Update 11. * SMB Workstation This vector is detected by the custom signature, SMB Workstation Service Overflow, that was released in Security Update 12. * HTTP WebDAV Symantec ManHunt Protocol Anomaly Detection technology detects the activity associated with this exploit as "HTTP Malformed URL (HTTP_BAD_REQURL5)." An event refinement rule has been released in Security Update 20 to specifically detect this as "HTTP IIS Welchia WebDAV SEARCH BO." * Locator Overflow This vector is detected by the custom signature, MS NETBIOS Locator Service Buffer Overflow, released in Security Update 20." You can also learn a lot from looking at portscan.log - email-borne viruses and those that attempt to connect on 135/445 or whatever show up pretty well. cheers, Jamie -- James Riden / j.riden () massey ac nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Please post a good Nachi.B Signature Dan (Feb 21)
- Re: Please post a good Nachi.B Signature Erek Adams (Feb 21)
- Re: Please post a good Nachi.B Signature Jason Haar (Feb 22)
- <Possible follow-ups>
- Re: Please post a good Nachi.B Signature Dan (Feb 21)
- Re: Please post a good Nachi.B Signature James Riden (Feb 21)
- Re: Please post a good Nachi.B Signature SN ORT (Feb 23)
- Re: Please post a good Nachi.B Signature Erek Adams (Feb 21)