[Snort-sigs] some new signatures to consider

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Mon Jun 9 10:56:09 EDT 2003


There are 3 sets of rules here... 1 for Dameware, 1 for Directory
listings from webservers and the final for those probing for the OpenSSL
worm (or the worm itself)

----------------------------------------
For Dameware. The default Destination port for dameware is 6129... so
the first rule only catches if people don't change that port.  The
second rule also assumes the defaults, and currently these should all be
positive hits... the third should be caught on systems which the second
doesn't catch... the fourth is caught when users install custom ini
files for dameware.

1.  alert tcp $EXTERNAL_NET any -> $HOME_NET 6129 (msg:"BACKDOOR
Dameware Remote Control Connect"; flags:S; flow:to_server;
classtype:attempted-admin; sid:whatever; rev:1;)

2.  alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"BACKDOOR Dameware
Remote Control Service Install"; flow:to_server,established;
content:"DWRCK.DLL"; nocase; classtype:successful-admin; sid:whatever;
rev:1;)

3.  alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"BACKDOOR Dameware
Remote Control Service Install"; flow:to_server,established;
content:"D|00|W|00|R|00|C|00|K"; classtype:successful-admin;
sid:whatever; rev:1;)

4.  alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"BACKDOOR Dameware
Remote Control INI Install"; flow:to_server,established;
content:"DWRCS.INI"; nocase; classtype:successful-admin; sid:whatever;
rev:1;


--------------------------------------
Potential new version of directory listing (for successful hits): 

4. alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB
MISC Directory Listing"; flow:to_client,established; content:"200 OK";
content:"directory of"; nocase; classtype:successful-admin;
sid:whatever; rev:1;)


----------------------------------------
Rule to catch openSSL worm probes

5.  alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"UMB
OpenSSL Worm probe"; flow:to_server; content:"GET
/mod_ssl\:error\:HTTP-request HTTP/1.0"; nocase;
classtype:trojan-activity; sid:whatever; rev:1;) 






More information about the Snort-sigs mailing list