[Snort-sigs] Bobax/Kibuv Windows XP UPnP SCAN

Miner, Jonathan W (CSC) (US SSA) jonathan.w.miner at ...2476...
Tue May 18 09:39:13 EDT 2004

Sorry, I forgot to state that I have no legit UPnP traffic on my network.  And yes... I'm seeing reams of traffic :(

-----Original Message-----
From:	Aaron W. DeLashmutt [mailto:awd at ...2442...]
Sent:	Tue 05/18/2004 12:10 PM
To:	Miner, Jonathan W (CSC) (US SSA)
Cc:	snort-sigs at lists.sourceforge.net
Subject:	Re: [Snort-sigs] Bobax/Kibuv Windows XP UPnP SCAN
A syn to port 5000?  No content, no flow... you are definitely setting 
up for a ream of false positives.
Good luck with that.

Quoting "Miner, Jonathan W (CSC) (US SSA)" <jonathan.w.miner at ...2476...>:

> Lots of Port 5000 scans since yesterday... From reading the diary at 
> www.incidents.org, it looks like the results of Bobax and Kibuv 
> worms.  I've written a simple rule that logs all my port 5000 
> connections. Comments?
> alert tcp any any -> $HOME_NET 5000 ( msg:"Bobax/Kibuv Windows XP 
> UPnP SCAN"; flags:S+; classtype: misc-activity; 
> reference:url,www.lurhq.com/bobax.html; 
> reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.kibuv.b.html; sid:1000002; 
> rev:2;)
> -------------------------------------------------------
> This SF.Net email is sponsored by: SourceForge.net Broadband
> Sign-up now for SourceForge Broadband and get the fastest
> 6.0/768 connection for only $19.95/mo for the first 3 months!
> http://ads.osdn.com/?ad_id%62&alloc_ida84&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

Aaron W. DeLashmutt <awd at ...2442...>

More information about the Snort-sigs mailing list