[Snort-sigs] Rules for ject and scob worms

Matthew Jonkman matt at ...2436...
Thu Jul 8 17:20:07 EDT 2004


I'd like to propose these changes, I think they'll be more effective. 
I've replaced HTTP_SERVERS with HOME_NET, and moved the HTTP_PORTS to 
the source pair. Changes flow:to_server to from_server.

These look good to everyone?

Matt

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
Ject and Scob worm IE shellscript"; flow:from_server,established; 
content:"ActiveXObject"; content:"Write"; content:"SaveToFile"; 
reference: 
url,www.securityfocus.com/archive/1/367466/2004-06-26/2004-07-02/0; 
nocase; classtype:shellcode-detect; sid:2000362; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
Ject and Scob worm IE shellscript 2"; flow:from_server,established; 
content:"ActiveXObject"; content:"NameSpace"; content:"Path"; 
content:"Save"; reference: 
url,www.securityfocus.com/archive/1/367466/2004-06-26/2004-07-02/0; no
case; classtype:shellcode-detect; sid:2000361; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
Ject and Scob worm IE shellscript 3"; flow:from_server,established; 
content:"ActiveXObject"; content:"ShellExecute"; reference: 
url,www.securityfocus.com/archive/1/367466/2004-06-26/2004-07-02/0; 
nocase; classtype:shellcode-detect; sid:2000360; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
Ject and Scob worm IE shellscript 4"; flow:from_server,established; 
content:"document.write"; content:"IFRAME"; content:"setTimeout"; 
reference:url,www.securityfocus.com/archive/1/367466/2004-06-26/2004-07-02/0; 
nocase; classtype:shellcode-detect; sid:2000359; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
Ject and Scob worm IE installer-loader"; flow:from_server,established; 
content:"execScript"; content:"document.write"; content:"IFRAME"; 
reference: 
url,www.securityfocus.com/archive/1/367466/2004-06-26/2004-07-02/0; 
nocase; classtype:shellcode-detect; sid:2000364; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
Ject and Scob worm IE installer-loader 2"; flow:from_server,established; 
content:"insertAdjacentHTML"; content:"script"; content:"ActiveXObject"; 
reference: 
url,www.securityfocus.com/archive/1/367466/2004-06-26/2004-07-02/0; no
case; classtype:shellcode-detect; sid:2000363; rev:1;)

Joseph Gama wrote:

> Hello,
> 
> Here are the rules for the latest worms that attack
> IE. It is also useful to know which websites are
> spreading the worms because many websites have been
> hacked in order to attack visitors with IE.
> 
> Thank you!
> 
> Peace,
> Joseph
> 
> 
> 		
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - 50x more storage than other providers!
> http://promotions.yahoo.com/new_mail

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.




More information about the Snort-sigs mailing list