RES: [Snort-sigs] W32.Bugbear.B at ...110... Signature

daniel.clemens daniel_clemens at ...842...
Sat Jun 7 01:31:02 EDT 2003


This was on the symantec website around 11am..

alert tcp any any -> any 25 \
(msg:"BugBear B SMTP Worm Propagation"; \
content:"CwEGAAAgAQAAEAAAAOAGACABCAAA8AYAABAIAAAAQAAAEAAAAAIAAAQAAAAA";classtype:misc-attack;)

you could also change the ports to 110 if it was originating from your pop
server...to the client..

alert tcp any 110 -> any any \
(msg:"BugBear B SMTP Worm Propagation"; \
content:"CwEGAAAgAQAAEAAAAOAGACABCAAA8AYAABAIAAAAQAAAEAAAAAIAAAQAAAAA";classtype:misc-attack;)

-Dan


On Fri, 6 Jun 2003, Rodrigo Ramos wrote:

> Hey Guys,
>
> Does anyone have a signature for POP or SMTP?
>
> Best Regards,
> Rodrigo Ramos
>
>
> -----Mensagem original-----
> De: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net] Em nome de Tinsley Paul
> Enviada em: sexta-feira, 6 de junho de 2003 09:59
> Para: 'snort-sigs at lists.sourceforge.net'
> Assunto: [Snort-sigs] W32.Bugbear.B at ...110... Signature
>
> Bugbear seems to be a mean one, I ran across this signature on
> Symantec's
> site.  Figured I would pass this along incase anybody needed it.
>
> alert tcp any any -> any 139 (msg:"BugBear B Network Worm Propagation";
> content:"|0B010600002001000010000000E006002001080000F0060000100800000040
> 0000
> 100000000200000400000000000000040000000000000000200800001000000000000002
> 0000
> 000000100000100000000010000010000000000000100000000000000000000000001008
> 0064
> 010000000000000000000000000000000000000000000000000000641108000C|";
> content:"|555058300000000000E0060000100000|"; classtype:misc-activity;
> sid:900019; rev:1;)
>
> Thanks,
> Paul Tinsley
> Senior Security Engineer
> Security Assurance
> 2555 Park Plaza, DC-3N
> Nashville, TN 37075
> Office: (615) 344-6403
> Pager: (615) 960-7766 or paul.tinsley at ...1250...
> Cell:    (615) 973-5353
> mailto:paul.tinsley at ...1515...
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
> thread debugger on the planet. Designed with thread debugging features
> you've never dreamed of, try TotalView 6 free at www.etnus.com.
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
> thread debugger on the planet. Designed with thread debugging features
> you've never dreamed of, try TotalView 6 free at www.etnus.com.
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>

-Daniel Uriah Clemens

Esse quam videra
    		(to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD






More information about the Snort-sigs mailing list