[Snort-sigs] Bobax/Kibuv Windows XP UPnP SCAN

Matthew Jonkman jonkman at ...2436...
Tue May 18 09:00:24 EDT 2004

I'd be careful with that one. It'll hit on regular windows UPnP traffic.

If a user brings in an XP home or something it'll load you with a bunch 
of false positives. You ought to find what a real UPnP connection looks 
like and exclude that. Then everything else could probably be considered 
hostile. I imagine this worm will evolve, so a sig to detect it's exact 
initial attack may be too short-lived.


Miner, Jonathan W (CSC) (US SSA) wrote:

> Lots of Port 5000 scans since yesterday... From reading the diary at www.incidents.org, it looks like the results of Bobax and Kibuv worms.  I've written a simple rule that logs all my port 5000 connections. Comments?
> alert tcp any any -> $HOME_NET 5000 ( msg:"Bobax/Kibuv Windows XP UPnP SCAN"; flags:S+; classtype: misc-activity; reference:url,www.lurhq.com/bobax.html; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.kibuv.b.html; sid:1000002; rev:2;)
> -------------------------------------------------------
> This SF.Net email is sponsored by: SourceForge.net Broadband
> Sign-up now for SourceForge Broadband and get the fastest
> 6.0/768 connection for only $19.95/mo for the first 3 months!
> http://ads.osdn.com/?ad_id%62&alloc_ida84&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

Matthew Jonkman, CISSP
Senior Security Engineer

More information about the Snort-sigs mailing list