[Snort-sigs] Rule for frethem worm web probes
r.fulton at ...575...
Thu Aug 15 16:08:02 EDT 2002
Here is a rule for detecting web probes from later versions of the
alert tcp any any -> any $HTTP_PORTS (msg:"VIRUS fethem.E web probes";\
flow:to_server,established; uricontent:" /b.cgi&"; nocase;\
Beware the line wrap!
I have not had a chance to test this on live data as our worm stopped
probing shortly before I got the rule into snort and I seem tp have
overwritten the tcpdump file where I picked up the original signatures.
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
"It aint necessarily so" - Gershwin
More information about the Snort-sigs