[Snort-sigs] Unknown IIS Worm Sigs

John Nagro john.nagro at ...2420...
Thu Jun 24 21:04:31 EDT 2004

Thanks for the rules. Its probably wise to also alert on *any* traffic
to/from those IP's untill we can figure out a better signature (based
on the actual exploit or a portion of the jscript that doesnt change).

If anyone figures out something they even *think* could be used to
track it, please post to this thread.


On Thu, 24 Jun 2004 19:04:50 -0500, Matthew Jonkman <matt at ...2436...> wrote:
> Reports of a potential 0-day IIS exploit are coming in, best documented
> at isc.sans.org.
> Here are a couple VERY crude rules to hopefully detect the infectious
> code. These are posted on bleedingsnort.com in the bleeding.rules.
> Suggestions are MORE than welcome if you're seeing anything. These are
> just looking for a couple unique strings in the smal bit of code we have.
> alert ip any any -> any any (msg:"BLEEDING-EDGE Unknown IIS Worm Code in
> Transit"; content:""; classtype:trojan-activity;
> sid:2000311; rev:1;)
> alert ip any any -> any any (msg:"BLEEDING-EDGE Unknown IIS Worm Code in
> Transit"; content:"function gc099"; classtype:trojan-activity;
> sid:2000312; rev:1;)
> Yes, I know it'll be very prone to false positives (this email will kick
> them both off). Better than nothing till we know more.
> Suggestions and more informaiton VERY welcome.
> Matt
> --------------------------------------------
> Matthew Jonkman, CISSP
> Senior Security Engineer
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list