[Snort-sigs] nimda / code red signatures

Phillip G Deneault deneault at ...920...
Sun Feb 9 08:17:04 EST 2003


I have a list of sigs I use to ignore nimbda attempts.  The problem is
that they are also indicative of other vulerability scanners and such
which you may or may not be interested in seeing.  IMHO, the benefits have
far outweighed the costs since I can now _use_ the IIS "cmd.exe" and IIS
"/scripts/" sigs and not have thousands of false-positives for Nimba
trying to infect non-vulerable hosts.

These sigs pass on inbound traffic. I still monitor the outbound traffic
looking for these sigs so that I can find infected hosts and users from my
netblock who are using the same content for malicious intent.

To make these catch Nimba worms, just change 'pass' to 'alert', put in
SID's above 1000000, and drop these in your local.rules file.

Hope this helps
Phil

#NIMBA script RULES
pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
1"; content:"GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
2"; content:"GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
3"; content:"GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
4"; content:"GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
5"; content:"GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
6"; content:"GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
7"; content:"GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
8"; content:"GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
9"; content:"GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
10"; content:"GET
/scripts/root.exe?/c+dir"; classtype:misc-activity; rev:1;)

#NIMBA cmd.exe RULES

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
11"; content:"GET
/c/winnt/system32/cmd.exe?/c+dir"; classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
12"; content:"GET
/d/winnt/system32/cmd.exe?/c+dir"; classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
13"; content:"GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
14"; content:"GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

pass tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"nimba
virus vector
15"; content:"GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir";
classtype:misc-activity; rev:1;)

On Thu, 6 Feb 2003, Jeff Oliveto wrote:

> Does anyone have a "definitive" list of vulnerabilities / signatures by
> SID that are potential indications of code red or nimda worm scan's?
>
>
> Jeff Oliveto
>
> VP Operations, Clean Communications
>
>
> (e) joliveto at ...1262...
>
>
>
>
>
>

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Phil Deneault     "We work in the dark, We do what we can,
deneault at ...919...   We give what we have. Our doubt is our passion,
WPI NetOps         and our passion is our task. The rest is the
InfoSec            maddness of art." - Henry James
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-






More information about the Snort-sigs mailing list