[Snort-sigs] Bobax/Kibuv Windows XP UPnP SCAN

Miner, Jonathan W (CSC) (US SSA) jonathan.w.miner at ...2476...
Tue May 18 07:09:35 EDT 2004

Lots of Port 5000 scans since yesterday... From reading the diary at www.incidents.org, it looks like the results of Bobax and Kibuv worms.  I've written a simple rule that logs all my port 5000 connections. Comments?

alert tcp any any -> $HOME_NET 5000 ( msg:"Bobax/Kibuv Windows XP UPnP SCAN"; flags:S+; classtype: misc-activity; reference:url,www.lurhq.com/bobax.html; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.kibuv.b.html; sid:1000002; rev:2;)

More information about the Snort-sigs mailing list