[Snort-sigs] sadmind worm rule

Chris Green cmg at ...26...
Thu Nov 15 11:05:01 EST 2001


The unicode rules catch this but this helps one spend less time
diagnosing whats going on.  uricontents would only help check if the
content contained x, not if it was only x.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \
(msg:"sadmind Worm Probe";  content:"GET x HTTP/1.0"; offset: 0; \
depth: 15; \
reference: url, "http://www.cert.org/advisories/CA-2001-11.html";)


real traffic:

11/15-11:31:38.186386 0:D0:6:12:A4:80 -> 0:E0:52:90:E1:22 type:0x800 len:0x48
x.x.x.x:65042 -> x.x.x.x:80 TCP TTL:243 TOS:0x0 ID:31541 IpLen:20 DgmLen:58 DF
***AP*** Seq: 0xF2620203  Ack: 0x2055776  Win: 0x2238  TcpLen: 20
47 45 54 20 78 20 48 54 54 50 2F 31 2E 30 0D 0A  GET x HTTP/1.0..
0D 0A


alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \
(msg:"Infected Sadmind worm host";  content:"GET x HTTP/1.0"; offset: 0; \
depth: 15; \
reference: url, "http://www.cert.org/advisories/CA-2001-11.html";)
-- 
Chris Green <cmg at ...26...>
Don't use a big word where a diminutive one will suffice.




More information about the Snort-sigs mailing list