[Snort-users] Some worm?

Matt Kettler mkettler at ...4108...
Mon Apr 12 09:33:09 EDT 2004

At 03:47 PM 4/11/2004, Jan Hugo Prins wrote:
>Lately I get a lot of events that are grouped. First I get a "WEB-MISC
>WebDAV search access" alert, then a "(http_inspect) BARE BYTE UNICODE
>ENCODING"  alert and after that 18 "SHELLCODE x86 NOOP" alerts.
>Is there some worm that tries to propagate using these signatures?

It's definitely been noticed before... someone asked about this specific 
pattern on 4/2 and there was a reply pointing out some notes about a 
multi-exploit worm or script being investigated over on incidents.org.


Some more recent notes indicating it was still going on 4/5


More information about the Snort-users mailing list