[Snort-users] Please post a good Nachi.B Signature
j.riden at ...11179...
Sat Feb 21 16:53:02 EST 2004
Dan <sophie_bo at ...741...> writes:
> * I had already checked the snort sigs mailing list archives to no avail.
> * I help secure a 100,000 + node network. The sig for the original Nachi virus worked great.
Ouch. We're only at 5,000+ here, and I need all the help I can get to
stop viruses. Obviously we use firewall and AV.
Here's some info from Symantec:
Manhunt appears to use the same signature format as snort, so you
might be able to track down some stuff from this:
* RPC DCOM
This vector is detected by the custom signature, MS RPC DCOM HEAP Overflow, that was released in Security Update 11.
* SMB Workstation
This vector is detected by the custom signature, SMB Workstation Service Overflow, that was released in Security Update 12.
* HTTP WebDAV
Symantec ManHunt Protocol Anomaly Detection technology detects the activity associated with this exploit as "HTTP Malformed URL (HTTP_BAD_REQURL5)." An event refinement rule has been released in Security Update 20 to specifically detect this as "HTTP IIS Welchia WebDAV SEARCH BO."
* Locator Overflow
This vector is detected by the custom signature, MS NETBIOS Locator Service Buffer Overflow, released in Security Update 20."
You can also learn a lot from looking at portscan.log - email-borne
viruses and those that attempt to connect on 135/445 or whatever show
up pretty well.
James Riden / j.riden at ...11179... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/
More information about the Snort-users