[Snort-sigs] Nimda Signature?

Matt Kettler mkettler at ...189...
Mon Apr 29 10:27:18 EDT 2002


Any reason you chose to use hex format for this signature? All the 
characters you are representing are plain ASCII and it might be clearer if 
you did it like this:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS Nimda Worm
owssvr.dll attack"; flags: A+; uricontent:"owssvr.dll?UL=1&ACT=4&BUILD="; 
nocase;
classtype:web-application-attack; sid: 000; rev:1;)

That's a direct translation of the hex codes you put in your rule, and is 
by far easier to read and evaluate for accuracy than a hex dump of ASCII codes.

translated in parts:

6F 77 73 73 76 72 2E 64 6C 6C 3F
owssvr.dll?

55 4C 3D 31 26
UL=1&

41 43 54 3D 34 26
ACT=4&

42 55 49 4C 44 3D
BUILD=


so is owssvr.dll used in any valid get requests outside of nimda? Are those 
parameters nimda specific?


At 11:29 AM 4/29/2002 -0500, Robert Wagner wrote:
>Been trying to track this for a little bit.  I noticed we didn't have a
>signature for the Nimda Worm in the general release.  I think these packets
>match the Nimda Worm.  Can anyone confirm?
>
>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS Nimda Worm
>owssvr.dll attack"; flags: A+; uricontent:"|6F 77 73 73 76 72 2E 64 6C 6C 3F
>55 4C 3D 31 26 41 43 54 3D 34 26 42 55 49 4C 44 3D|"; nocase;
>classtype:web-application-attack; sid: 000; rev:1;)
>
>[**] WEB-IIS Nimda Worm owssvr.dll attack [**]
>04/28-19:48:33.347490 66.56.115.219:2632 -> myip:80
>TCP TTL:116 TOS:0x0 ID:5336 IpLen:20 DgmLen:363 DF
>***AP*** Seq: 0xD3E1DB51  Ack: 0xDFBAC795  Win: 0xFAF0  TcpLen: 20
>0x0000: 00 xx xx xx xx xx xx xx xx xx xx xx xx 00 45 00  ....:1..c.....E.
>0x0010: 01 6B 14 D8 40 00 74 06 CB 4A 42 38 73 DB xx xx  .k.. at ...569...,
>0x0020: xx xx 0A 48 00 50 D3 E1 DB 51 DF BA C7 95 50 18  .*.H.P...Q....P.
>0x0030: FA F0 6E 66 00 00 47 45 54 20 2F 5F 76 74 69 5F  ..nf..GET /_vti_
>0x0040: 62 69 6E 2F 6F 77 73 73 76 72 2E 64 6C 6C 3F 55  bin/owssvr.dll?U
>0x0050: 4C 3D 31 26 41 43 54 3D 34 26 42 55 49 4C 44 3D  L=1&ACT=4&BUILD=
>0x0060: 32 36 31 34 26 53 54 52 4D 56 45 52 3D 34 26 43  2614&STRMVER=4&C
>0x0070: 41 50 52 45 51 3D 30 20 48 54 54 50 2F 31 2E 31  APREQ=0 HTTP/1.1
>0x0080: 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 41  ..Accept: */*..A
>0x0090: 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20  ccept-Encoding:
>0x00A0: 67 7A 69 70 2C 20 64 65 66 6C 61 74 65 0D 0A 55  gzip, deflate..U
>0x00B0: 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C  ser-Agent: Mozil
>0x00C0: 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62  la/4.0 (compatib
>0x00D0: 6C 65 3B 20 4D 53 49 45 20 36 2E 30 3B 20 57 69  le; MSIE 6.0; Wi
>0x00E0: 6E 64 6F 77 73 20 4E 54 20 35 2E 31 3B 20 51 33  ndows NT 5.1; Q3
>0x00F0: 31 32 34 36 31 29 0D 0A 48 6F 73 74 3A 20 77 77  12461)..Host: ww
>...
>
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list