[Snort-sigs] Re: [ISSForum] Witty signature

Sergey V Soldatov SVSoldatov at ...2335...
Thu Mar 25 05:41:16 EST 2004


I find another signature... It uses more long content, so more exact. Isn't
it?

alert udp any 4000:5000 -> any any (msg:"Witty Initial Traffic";content:"
|29202020202020696e73657274207769747479206d6573736167652068657265|";rev:1;)

Source port restriction may be removed.
---
Best regards, Sergey V. Soldatov.



                                                                                                                    
              todb at ...794...                                                                               
              Sent by:                         To:       snort-sigs at lists.sourceforge.net, issforum at ...318...         
              issforum-bounces at ...318...         cc:                                                                  
                                               Subject:  [ISSForum] Witty signature                                 
                                                                                                                    
              20.03.2004 14:17                                                                                      
                                                                                                                    
                                                                                                                    




Pretty easy one:

alert udp any 4000 -> any any (msg:"ISS RealSecure or BlackICE Witty
Infection Attempt"; content:"|20 20 20 20 20
20|insert.witty.message.here"; depth:146; classtype:trojan-activity;
reference:url,http://xforce.iss.net/xforce/alerts/id/166; sid:1111001;
rev:1;)

Mostly useful for the Trons crowd (drop disallowed Trons fields
accordingly).

--
Tod Beardsley
www.planb-security.net

_______________________________________________
ISSForum mailing list
ISSForum at ...318...

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum at ...318...

The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.









More information about the Snort-sigs mailing list