[Snort-sigs] Nimda

Brian bmc at ...95...
Wed May 28 08:52:12 EDT 2003


On Wed, May 28, 2003 at 08:52:58AM -0400, Joe Kinsella wrote:
> What I see in my logs on a Nimda attack looks like this:
> 
> ~/scripts/root.exe
> ~/MSADC/root.exe
> ~/c/winnt/system32/cmd.exe
> ~/d/winnt/system32/cmd.exe
> ~/scripts/..%255c../winnt/system32/cmd.exe
> ~/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
> ~/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
> ~/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/s
> ystem32/cmd.exe
> ~/scripts/..%c1%1c../winnt/system32/cmd.exe
> ~/scripts/..%c0%2f../winnt/system32/cmd.exe
> ~/scripts/..%c0%af../winnt/system32/cmd.exe
> ~/scripts/..%c1%9c../winnt/system32/cmd.exe
> ~/scripts/..%%35%63../winnt/system32/cmd.exe
> ~/scripts/..%%35c../winnt/system32/cmd.exe
> ~/scripts/..%25%35%63../winnt/system32/cmd.exe
> ~/scripts/..%252f../winnt/system32/cmd.exe
> ~/default.ida
> 
> Am I right that none of these http requests would be flagged by the defeault
> Snort rules as an attack?  The above is just about identical to the original
> CERT advisory for Nimda.

Snort would have caught all of those.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida access"; uricontent:".ida"; nocase; flow:to_server,established; reference:arachnids,552; classtype:web-application-activity; reference:cve,CAN-2000-0071; reference:bugtraq,1065; sid:1242;  rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; classtype:web-application-attack; reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256; rev:7;)

-brian




More information about the Snort-sigs mailing list