[Snort-sigs] SID 1809 documentation

Kevin Peuhkurinen kevin.peuhkurinen at ...1555...
Mon Jun 9 08:49:01 EDT 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC 
Apache Chunked-Encoding worm attempt"; flow:to_server,established; 
content:"CCCCCCC\: AAAAAAAAAAAAAAAAAAA"; nocase; 
classtype:web-application-attack; reference:bugtraq,4474; 
reference:cve,CAN-2002-0079;reference:bugtraq,5033; 
reference:cve,CAN-2002-0392; sid:1809; rev:2;)
--
Sid:
1809
--
Summary:
The "Scalper" worm is attempting to infect your web server.
--
Impact:
An infected server will open ports and listen for commands as well as 
attempt to infect more systems.
--
Detailed Information:
This worm takes advantage of the chunked encoding vulnerability in 
Apache to infect new systems. Once infected, the worm opens UDP port 
2001 and will listen for additional commands. It will also begin 
scanning for new hosts to infect.
--
Affected Systems:
Version of Apache 1.3 up to and including 1.3.24 and versions of Apache 
2.0 up to 2.0.36. All versions of Apache 1.2 are vulnerable. This worm 
will only infect systems running FreeBSD.
--
Attack Scenarios:
Typical self-replicating worm.
--
Ease of Attack:
Easy – fully automated.
--
False Positives:
Highly Unlikely.
--
False Negatives:
None known.
--
Corrective Action:
Upgrade your installation of Apache if you are running a vulnerable version.
--
Contributors:
Kevin Peuhkurinen
-- 
Additional References:
http://securityresponse.symantec.com/avcenter/venc/data/freebsd.scalper.worm.html






More information about the Snort-sigs mailing list