[Snort-sigs] Rule for frethem worm web probes

Russell Fulton r.fulton at ...575...
Thu Aug 15 16:08:02 EDT 2002


Here is a rule for detecting web probes from later versions of the
frethem worm

alert tcp any any -> any $HTTP_PORTS (msg:"VIRUS fethem.E web probes";\
flow:to_server,established; uricontent:" /b.cgi&"; nocase;\
classtype:trojan-activity; )

Beware the line wrap!

I have not had a chance to test this on live data as our worm stopped
probing shortly before I got the rule into snort and I seem tp have
overwritten the tcpdump file where I picked up the original signatures.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin





More information about the Snort-sigs mailing list