[Snort-sigs] Nimda Signature?

Robert Wagner rwagner at ...447...
Mon Apr 29 09:30:04 EDT 2002


Been trying to track this for a little bit.  I noticed we didn't have a
signature for the Nimda Worm in the general release.  I think these packets
match the Nimda Worm.  Can anyone confirm?

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS Nimda Worm
owssvr.dll attack"; flags: A+; uricontent:"|6F 77 73 73 76 72 2E 64 6C 6C 3F
55 4C 3D 31 26 41 43 54 3D 34 26 42 55 49 4C 44 3D|"; nocase;
classtype:web-application-attack; sid: 000; rev:1;)

[**] WEB-IIS Nimda Worm owssvr.dll attack [**]
04/28-19:48:33.347490 66.56.115.219:2632 -> myip:80
TCP TTL:116 TOS:0x0 ID:5336 IpLen:20 DgmLen:363 DF
***AP*** Seq: 0xD3E1DB51  Ack: 0xDFBAC795  Win: 0xFAF0  TcpLen: 20
0x0000: 00 xx xx xx xx xx xx xx xx xx xx xx xx 00 45 00  ....:1..c.....E.
0x0010: 01 6B 14 D8 40 00 74 06 CB 4A 42 38 73 DB xx xx  .k.. at ...569...,
0x0020: xx xx 0A 48 00 50 D3 E1 DB 51 DF BA C7 95 50 18  .*.H.P...Q....P.
0x0030: FA F0 6E 66 00 00 47 45 54 20 2F 5F 76 74 69 5F  ..nf..GET /_vti_
0x0040: 62 69 6E 2F 6F 77 73 73 76 72 2E 64 6C 6C 3F 55  bin/owssvr.dll?U
0x0050: 4C 3D 31 26 41 43 54 3D 34 26 42 55 49 4C 44 3D  L=1&ACT=4&BUILD=
0x0060: 32 36 31 34 26 53 54 52 4D 56 45 52 3D 34 26 43  2614&STRMVER=4&C
0x0070: 41 50 52 45 51 3D 30 20 48 54 54 50 2F 31 2E 31  APREQ=0 HTTP/1.1
0x0080: 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 41  ..Accept: */*..A
0x0090: 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20  ccept-Encoding:
0x00A0: 67 7A 69 70 2C 20 64 65 66 6C 61 74 65 0D 0A 55  gzip, deflate..U
0x00B0: 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C  ser-Agent: Mozil
0x00C0: 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62  la/4.0 (compatib
0x00D0: 6C 65 3B 20 4D 53 49 45 20 36 2E 30 3B 20 57 69  le; MSIE 6.0; Wi
0x00E0: 6E 64 6F 77 73 20 4E 54 20 35 2E 31 3B 20 51 33  ndows NT 5.1; Q3
0x00F0: 31 32 34 36 31 29 0D 0A 48 6F 73 74 3A 20 77 77  12461)..Host: ww
...




More information about the Snort-sigs mailing list