[Snort-sigs] Unknown IIS Worm Sigs

Matthew Jonkman matt at ...2436...
Thu Jun 24 17:05:02 EDT 2004


Reports of a potential 0-day IIS exploit are coming in, best documented 
at isc.sans.org.

Here are a couple VERY crude rules to hopefully detect the infectious 
code. These are posted on bleedingsnort.com in the bleeding.rules.

Suggestions are MORE than welcome if you're seeing anything. These are 
just looking for a couple unique strings in the smal bit of code we have.

alert ip any any -> any any (msg:"BLEEDING-EDGE Unknown IIS Worm Code in 
Transit"; content:"217.107.218.147"; classtype:trojan-activity; 
sid:2000311; rev:1;)
alert ip any any -> any any (msg:"BLEEDING-EDGE Unknown IIS Worm Code in 
Transit"; content:"function gc099"; classtype:trojan-activity; 
sid:2000312; rev:1;)


Yes, I know it'll be very prone to false positives (this email will kick 
them both off). Better than nothing till we know more.

Suggestions and more informaiton VERY welcome.

Matt

--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer





More information about the Snort-sigs mailing list