[Snort-sigs] Bobax/Kibuv Windows XP UPnP SCAN

Chris Baker extremis at ...862...
Tue May 18 08:37:13 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Try this one for the registration attempt:

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"Bobax registration  
attempt"; flow:to_server,established;  
pcre:"/reg\?u=(0x)?[A-Fa-f0-9]{8}&v=114/i";  
reference:url,www.lurhq.com/bobax.html; sid:1000000; rev:1;)

On May 18, 2004, at 9:08 AM, Miner, Jonathan W (CSC) (US SSA) wrote:

> Lots of Port 5000 scans since yesterday... From reading the diary at  
> www.incidents.org, it looks like the results of Bobax and Kibuv worms.  
>  I've written a simple rule that logs all my port 5000 connections.  
> Comments?
>
>
> alert tcp any any -> $HOME_NET 5000 ( msg:"Bobax/Kibuv Windows XP UPnP  
> SCAN"; flags:S+; classtype: misc-activity;  
> reference:url,www.lurhq.com/bobax.html;  
> reference:url,securityresponse.symantec.com/avcenter/venc/data/ 
> w32.kibuv.b.html; sid:1000002; rev:2;)
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: SourceForge.net Broadband
> Sign-up now for SourceForge Broadband and get the fastest
> 6.0/768 connection for only $19.95/mo for the first 3 months!
> http://ads.osdn.com/?ad_id%62&alloc_ida84&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>
> !DSPAM:40aa1ac5218872037016071!
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFAqi14fb0HaidNqvsRAiYyAJwM9PClVhbEldVvTxSre+gmP1nVqACfYBeB
hCHxnb7ZiFtN+yndCbCyE6Q=
=OLzq
-----END PGP SIGNATURE-----





More information about the Snort-sigs mailing list