[Snort-sigs] Witty signature
security at ...704...
Sun Mar 21 07:32:04 EST 2004
Those would have to be the result of a device performing PAT or similar,
I've only seen one pkt not sourced on port 4000 at 2004-03-20 16:14:34.
More interesting to me is that the worm trips rule 2445 released by
Sourcefire but out of the flood of alerts that I have there are 5 for
2444 and 7 for 2443. I've not looked into them yet since I have no ISS
to be exploited.
Russell Fulton wrote:
> On Sun, 2004-03-21 at 00:17, todb at ...794... wrote:
>>Pretty easy one:
>>alert udp any 4000 -> any any (msg:"ISS RealSecure or BlackICE Witty
> According to Symantec they are seeing some udp packets containing the
> worm with source ports other than 4000.
More information about the Snort-sigs