[Snort-sigs] Bobax/Kibuv Windows XP UPnP SCAN

Joe Stewart jstewart at ...5...
Tue May 18 09:16:01 EDT 2004

On Tuesday 18 May 2004 11:36 am, Chris Baker wrote:
> Try this one for the registration attempt:
> alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"Bobax registration
> attempt"; flow:to_server,established;
> pcre:"/reg\?u=(0x)?[A-Fa-f0-9]{8}&v=114/i";
> reference:url,www.lurhq.com/bobax.html; sid:1000000; rev:1;)

Here's the actual printf string used by Bobax:


So this would render something like:


So /reg\?u=[A-F0-9]{8}&v=[0-9]+/ would suffice. I probably wouldn't rely 
on v=114 staying constant, since it is probably incremented with each 
build. Also, for completeness you could include the string from Minit, 
which is 


So something like /\/reg\?.*u=[A-Fa-f0-9]{8}&/ should catch all variants 
by the same author, but the false-positive rate could go up since we're 
ignoring all other variable names but "u".


Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/

More information about the Snort-sigs mailing list