[Snort-sigs] Bobax/Kibuv Windows XP UPnP SCAN

Aaron W. DeLashmutt awd at ...2442...
Tue May 18 09:11:04 EDT 2004


A syn to port 5000?  No content, no flow... you are definitely setting 
yourself
up for a ream of false positives.
Good luck with that.
-awd

Quoting "Miner, Jonathan W (CSC) (US SSA)" <jonathan.w.miner at ...2476...>:

> Lots of Port 5000 scans since yesterday... From reading the diary at 
> www.incidents.org, it looks like the results of Bobax and Kibuv 
> worms.  I've written a simple rule that logs all my port 5000 
> connections. Comments?
>
>
> alert tcp any any -> $HOME_NET 5000 ( msg:"Bobax/Kibuv Windows XP 
> UPnP SCAN"; flags:S+; classtype: misc-activity; 
> reference:url,www.lurhq.com/bobax.html; 
> reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.kibuv.b.html; sid:1000002; 
> rev:2;)
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: SourceForge.net Broadband
> Sign-up now for SourceForge Broadband and get the fastest
> 6.0/768 connection for only $19.95/mo for the first 3 months!
> http://ads.osdn.com/?ad_id%62&alloc_ida84&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




---
Aaron W. DeLashmutt <awd at ...2442...>






More information about the Snort-sigs mailing list