[Snort-sigs] Bobax/Kibuv Windows XP UPnP SCAN

Joe Stewart jstewart at ...5...
Tue May 18 09:16:01 EDT 2004


On Tuesday 18 May 2004 11:36 am, Chris Baker wrote:
> Try this one for the registration attempt:
>
> alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"Bobax registration
> attempt"; flow:to_server,established;
> pcre:"/reg\?u=(0x)?[A-Fa-f0-9]{8}&v=114/i";
> reference:url,www.lurhq.com/bobax.html; sid:1000000; rev:1;)

Here's the actual printf string used by Bobax:

http://%s/reg?u=%08X&v=%d

So this would render something like:

http://www.badsever.evil/reg?u=0ABC9DEF&v=114

So /reg\?u=[A-F0-9]{8}&v=[0-9]+/ would suffice. I probably wouldn't rely 
on v=114 staying constant, since it is probably incremented with each 
build. Also, for completeness you could include the string from Minit, 
which is 

http://%s/reg?p=%d&u=%08X&r=%d

So something like /\/reg\?.*u=[A-Fa-f0-9]{8}&/ should catch all variants 
by the same author, but the false-positive rate could go up since we're 
ignoring all other variable names but "u".

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/




More information about the Snort-sigs mailing list