[Snort-sigs] RE: Snort-sigs digest, Vol 1 #68 - 6 msgs

Nelson, James (CC-MIS Plans and Prog) James.Nelson at ...74...
Wed Sep 19 15:46:05 EDT 2001


To find W32NIMDA, why not just look for exe?/c+dir  

Just a thought.

James


-----Original Message-----
From: snort-sigs-request at lists.sourceforge.net
[mailto:snort-sigs-request at lists.sourceforge.net]
Sent: Wednesday, September 19, 2001 2:09 PM
To: snort-sigs at lists.sourceforge.net
Subject: Snort-sigs digest, Vol 1 #68 - 6 msgs


Send Snort-sigs mailing list submissions to
	snort-sigs at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-sigs
or, via email, send a message with subject or body 'help' to
	snort-sigs-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-sigs-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."


Today's Topics:

   1. Concept/Nimda sig (Joao Gouveia)
   2. WEB-IIS File permission canonicalization (Jensenne Roculan)
   3. Re: FTP Nimba Sigs (Was: [Snort-sigs] WEB-IIS File permission
       canonicalization) (Mark Canter)
   4. How and why are older entries dropped (Marc Eggenberger)
   5. Re: How and why are older entries dropped (Brian)

--__--__--

Message: 1
From: "Joao Gouveia" <jgouveia at ...111...>
To: <snort-sigs at lists.sourceforge.net>
Date: Tue, 18 Sep 2001 21:04:20 +0100
Subject: [Snort-sigs] Concept/Nimda sig

Hi all,

Base on a superficial analysis of this new worm, here is a simple sig that
will detect the HTTP attempt.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"Concept-Nimda"; flags:
A+; content:"|48 6F 73 74 3A 20 77 77 77 0D 0A|"; )

Reagards,

Joao Gouveia



--__--__--

Message: 2
Date: Tue, 18 Sep 2001 21:04:25 -0600 (MDT)
From: Jensenne Roculan <jroculan at ...113...>
To: <snort-sigs at lists.sourceforge.net>
Subject: [Snort-sigs] WEB-IIS File permission canonicalization

Hi there,

Due to the Nimda worm, we're seeing a tonne of these WEB-IIS File
permission canonicalization sigs being set off:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS File
permission canonicalization"; uricontent:"/scripts/..%c0%af../"; flags:
A+; nocase; classtype:attempted-admin; sid:981; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS File
permission canonicalization"; uricontent:"/scripts/..%c1%1c../"; flags:
A+; nocase; classtype:attempted-admin; sid:982; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS File
permission canonicalization"; uricontent:"/scripts/..%c1%9c../"; flags:
A+; nocase; classtype:attempted

I am just curious as to why these rules were classified as WEB-IIS File
permission canonicalization?  Wouldn't an extended UNICODE classification
be much more suitable or am I missing something?  Thanks in advance.

Cheers,

Jensenne Roculan
SecurityFocus - http://www.securityfocus.com
ARIS - http://aris.securityfocus.com
(403) 213-3939 ext. 229




--__--__--

Message: 3
Date: Tue, 18 Sep 2001 23:36:31 -0400 (EDT)
From: Mark Canter <marcus at ...64...>
To: <snort-sigs at lists.sourceforge.net>
cc: <jroculan at ...113...>
Subject: Re: FTP Nimba Sigs (Was: [Snort-sigs] WEB-IIS File permission
 canonicalization)


alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP Nimba Upload scan";
flags: A+; content:"PASS guest at ...115..."; rev:1;)

The above is the sig. of the Nimba worm FTP login signature.  Cross
posting to bugtraq info below:

mark

---SNIP---

Also one part that your not covering of Nimba's virus code that I've seen
attack our FTP servers follows below.  It resides on the FTP server if
sucessfully creates, I imagine it uploads after it does a MKDIR to see if
the directory is writable then uploads to that directory 'readme.exe'.


More information about the Snort-sigs mailing list