[Snort-users] SNORT sig for Eeye's Nimda Scanner

jruff jruff at ...2053...
Thu Sep 20 09:55:03 EDT 2001


I'm using the following to identify Eeye's Nimda Scanner Tool (bottom)  I've
placed it in a new rules file along with Eeye's CodeRed Scanner called
'scantools.rules'.  This file needs to go at the top of your include list
because the Nimda scanner comes in two seperate packets. The second packet
not only contains content "eeye", but also uricontent "c+dir" that matches
the Nimda rules that are being circulated.

The payload of the two packet combo from the Eeye Nimda scanner looks like
this:

[..SNIP..]

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/20-12:30:42.535883 130.110.93.31:4802 -> 130.110.90.78:80
TCP TTL:127 TOS:0x0 ID:44931 IpLen:20 DgmLen:94 DF
***AP*** Seq: 0xDE3430A1  Ack: 0xD1EA7920  Win: 0x4510  TcpLen: 20
48 45 41 44 20 2F 20 48 54 54 50 2F 31 2E 31 0A  HEAD / HTTP/1.1.
48 6F 73 74 3A 20 65 65 79 65 0D 0A 43 6F 6E 6E  Host: eeye..Conn
65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69  ection: Keep-Ali
76 65 0D 0A 0D 0A                                ve....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/20-12:30:42.731751 130.110.93.31:4802 -> 130.110.90.78:80
TCP TTL:127 TOS:0x0 ID:44933 IpLen:20 DgmLen:200 DF
***AP*** Seq: 0xDE3430D7  Ack: 0xD1EA7A32  Win: 0x43FE  TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25  GET /scripts/..%
35 63 2E 2E 25 35 63 2E 2E 25 35 63 2E 2E 25 35  5c..%5c..%5c..%5
63 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F  cwinnt/system32/
63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72 20 48  cmd.exe?/c+dir H
54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 65  TTP/1.1..Host: e
65 79 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A  eye..User-Agent:
20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F   Mozilla/4.0 (co
6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 35  mpatible; MSIE 5
2E 30 31 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20  .01; Windows NT 
35 2E 30 29 0D 0A 0D 0A 35 2E 30 29 0D 0A 0D 0A  5.0)....5.0)....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[..END SNIP..]

I'm also using a custom classtype in my 'classification.config' file for
these scanning tools.  Here is entry from my 'classification.config'
file:

[..SNIP..]

config classification: scan-detect-tool,Vulnerability Scan Detection Tool,0

[..END SNIP..]

CONTENTS OF MY scantools.rules FILE:

[..SNIP..]

#For eEye's Code Red scanner:
#----------
alert tcp any any -> any 80 (msg: "Eeye Scanner for CodeRed"; dsize:239;
flags: A+; content:"|2F782e69 64613f41 41414141|"; depth:64; classtype:
scan-detect-tool; priority: 0;)

#For Eeye's Nimda Scanner:
#----------
alert tcp any any -> any 80 (msg: "Eeye Scanner for Nimda"; content:"eeye";
nocase; flags:A+; classtype: scan-detect-tool; priority: 0;)

[..END SNIP..]


Best Regards,

John




More information about the Snort-users mailing list