[Snort-users] W32.Bugbear.B at ...4138... signature

CGhercoias at ...8619... CGhercoias at ...8619...
Fri Jun 6 07:44:20 EDT 2003


Hello all,

In case anyone is interested I created the definitions for W32.Bugbear.B at ...9395...

I took the payload data from Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b@...9396...
l
and it seems that they are good.
I might be wrong and please let me know about your experience with them.

<<<<<<<<<<<<<<<<<<<<<<<<<<<<DATA SKIPS>>>>>>>>>>>>>>>>>>>>>>>>>>
alert tcp any any -> any 25 ( sid: 1000005; rev: 3; msg: "BugBear B SMTP
Worm Propagation"; flow: to_server,established; content:
"CwEGAAAgAQAAEAAAAOAGACABCAAA8AYAABAIAAAAQAAAEAAAAAIAAAQAAAAA"; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b at ...3071...;
classtype: trojan-activity;)

alert tcp any any -> any 139 ( sid: 1000006; rev: 4; msg: "BugBear B Network
Worm Propagation"; flow: to_server,established; content:
"555058300000000000E0060000100000"; content:
"0B010600002001000010000000E006002001080000F00600001008000000400000100000000
2"; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b at ...3071...;
classtype: trojan-activity;)

alert tcp any any -> any 1080 ( sid: 1000007; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|p|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b at ...3071...;
classtype: trojan-activity;)

alert tcp any any -> any 1080 ( sid: 1000008; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|e|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b at ...3071...;
classtype: trojan-activity;)

alert tcp any any -> any 1080 ( sid: 1000009; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|f|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b at ...3071...;
classtype: trojan-activity;)

alert tcp any any -> any 1080 ( sid: 1000010; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|s|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b at ...3071...;
classtype: trojan-activity;)

alert tcp any any -> any 1080 ( sid: 1000011; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|c|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b at ...3071...;
classtype: trojan-activity;)

alert tcp any any -> any 1080 ( sid: 1000012; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|o|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b at ...3071...;
classtype: trojan-activity;)

alert tcp any any -> any 1080 ( sid: 1000013; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|k|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b at ...3071...;
classtype: trojan-activity;)
alert tcp any any -> any 1080 ( sid: 1000014; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|d|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b at ...3071...;
classtype: trojan-activity;)
alert tcp any any -> any 1080 ( sid: 1000015; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|r|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b at ...3071...;
classtype: trojan-activity;)
alert tcp any any -> any 1080 ( sid: 1000016; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|h|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b at ...3071...;
classtype: trojan-activity;)
alert tcp any any -> any 1080 ( sid: 1000017; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|i|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b at ...3071...;
classtype: trojan-activity;)
alert tcp any any -> any 1080 ( sid: 1000018; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|z|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b at ...3071...;
classtype: trojan-activity;)
alert tcp any any -> any 1080 ( sid: 1000019; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|y|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b at ...3071...;
classtype: trojan-activity;)
alert tcp any any -> any 1080 ( sid: 1000020; rev: 1; msg: "BugBear B
Backdoor Attack"; flow: to_server,established; content: "|3b|t|3b|"; depth:
50; reference:
url,securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b at ...3071...;
classtype: trojan-activity;)

Thank you, 
___________________________
Catalin Ghercoias 
Web/Security System Administrator 

website: http://www.fye.com 
The content of this communication is classified as Transworld Entertainment
Confidential and Proprietary Information.The content of this communication
is intended solely for the use of the individual or entity to whom it is
addressed and others authorized to receive it. If you are not the intended
recipient you are hereby notified that any disclosure, copying, distribution
or taking any action in reliance on the contents of this information is
strictly prohibited and may be unlawful. If you have received this
communication in error, please notify us immediately by responding to this
communication then delete it from your system. We appreciate your assistance
in preserving the confidentiality of our correspondence. Thank you.




More information about the Snort-users mailing list