[Snort-users] SSL worm sigs

Tim Bogart tim.bogart at ...3092...
Mon Sep 16 13:11:05 EDT 2002

If you please;  This will probably sound like a stupid question but ...

Are the fences around the actual signature part of the signatue, or are they 
delimiters used by snort?


Tim B.

On Sunday 15 September 2002 09:18 pm, Brian Caswell wrote:
> WEB-MISC bad HTTP/1.1 request, potentual worm attack";
> flow:to_server,established; content:"GET / HTTP/1.1|0a 0d 0a 0d|"; 
> offset:0; depth:18;
> reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.
>09.13.html; classtype:web-application-activity; sid:1881; rev:1;)
> As I no longer have an attack lab, I havn't been able to play with the new
> worm that attacks apache-ssl.  However, I have written a sig that looks for
> the precurser that the worm sends.
> The worm sends "GET / HTTP/1.1\r\n\r\n" to port 80.  This is not a valid
> HTTP 1.1 request.  This will catch a bunch of lame CGI scanners, and won't
> catch people using the actual exploit, it should catch the worm probing
> your network.
> Please test and let me know how the sig works out.  When I get back to work
> tommorow, I will test a bit more, then commit it to the tree for all to
> grab with the snapshots.
> -brian
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list