[Snort-sigs] Witty signature

Jason security at ...704...
Sun Mar 21 07:32:04 EST 2004

Those would have to be the result of a device performing PAT or similar, 
  I've only seen one pkt not sourced on port 4000 at 2004-03-20 16:14:34.

More interesting to me is that the worm trips rule 2445 released by 
Sourcefire but out of the flood of alerts that I have there are 5 for 
2444 and 7 for 2443. I've not looked into them yet since I have no ISS 
to be exploited.

Russell Fulton wrote:
> On Sun, 2004-03-21 at 00:17, todb at ...794... wrote:
>>Pretty easy one:
>>alert udp any 4000 -> any any (msg:"ISS RealSecure or BlackICE Witty
> According to Symantec they are seeing some udp packets containing the
> worm with source ports other than 4000.

More information about the Snort-sigs mailing list