[Snort-users] Please post a good Nachi.B Signature

James Riden j.riden at ...11179...
Sat Feb 21 16:53:02 EST 2004


Dan <sophie_bo at ...741...> writes:

> * I had already checked the snort sigs mailing list archives to no avail.
>
> * I help secure a 100,000 + node network. The sig for the original Nachi virus worked great.

Ouch. We're only at 5,000+ here, and I need all the help I can get to
stop viruses. Obviously we use firewall and AV.

Here's some info from Symantec:

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.b.worm.html

Manhunt appears to use the same signature format as snort, so you
might be able to track down some stuff from this:

"Symantec ManHunt

    * RPC DCOM

This vector is detected by the custom signature, MS RPC DCOM HEAP Overflow, that was released in Security Update 11.

    * SMB Workstation

This vector is detected by the custom signature, SMB Workstation Service Overflow, that was released in Security Update 12.

    * HTTP WebDAV

Symantec ManHunt Protocol Anomaly Detection technology detects the activity associated with this exploit as "HTTP Malformed URL (HTTP_BAD_REQURL5)." An event refinement rule has been released in Security Update 20 to specifically detect this as "HTTP IIS Welchia WebDAV SEARCH BO."

    * Locator Overflow

This vector is detected by the custom signature, MS NETBIOS Locator Service Buffer Overflow, released in Security Update 20."

You can also learn a lot from looking at portscan.log - email-borne
viruses and those that attempt to connect on 135/445 or whatever show
up pretty well.

cheers,
 Jamie
-- 
James Riden / j.riden at ...11179... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/






More information about the Snort-users mailing list