[Snort-users] SSL worm sigs

Tim Bogart tim.bogart at ...3092...
Mon Sep 16 13:11:05 EDT 2002


If you please;  This will probably sound like a stupid question but ...

Are the fences around the actual signature part of the signatue, or are they 
delimiters used by snort?

Tia,

Tim B.

On Sunday 15 September 2002 09:18 pm, Brian Caswell wrote:
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPERIMENTAL
> WEB-MISC bad HTTP/1.1 request, potentual worm attack";
> flow:to_server,established; content:"GET / HTTP/1.1|0a 0d 0a 0d|"; 
> offset:0; depth:18;
> reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.
>09.13.html; classtype:web-application-activity; sid:1881; rev:1;)
>
> As I no longer have an attack lab, I havn't been able to play with the new
> worm that attacks apache-ssl.  However, I have written a sig that looks for
> the precurser that the worm sends.
>
> The worm sends "GET / HTTP/1.1\r\n\r\n" to port 80.  This is not a valid
> HTTP 1.1 request.  This will catch a bunch of lame CGI scanners, and won't
> catch people using the actual exploit, it should catch the worm probing
> your network.
>
> Please test and let me know how the sig works out.  When I get back to work
> tommorow, I will test a bit more, then commit it to the tree for all to
> grab with the snapshots.
>
> -brian
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list