[Snort-users] Gaobot worm

Matt Kettler mkettler at ...4108...
Wed May 26 09:00:01 EDT 2004


At 02:55 PM 5/25/2004, Pat Delaney wrote:
>I'm some what of a snort nubie. What rule set shoul I be using to deteck 
>the Gaobot worm.

The ones that come with snort 2.1.2 catch most of Gaobot's exploits


sid:1384 should catch Gaobot's upnp notify exploits. 
(<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0876>CAN-2001-0876)
sid: 2316 should catch Gaobot's XP workstation exploits 
(<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0812>CAN-2003-0812)
sid: 2351 should catch Gaobot's rpc dcom exploits 
(<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352>CAN-2003-0352)
sid: 2090 should catch Gaobot's webdav exploits 
(<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0109>CAN-2003-0109)
sid: 2091 should catch Gaobot's webdav exploits 
(<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0109>CAN-2003-0109)

Vulnerabilities I couldn't find a sig for in 2.1.2 (but may be in newer 
snapshots, or just not referenced by CAN in the rules):
SQL: 
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1145>CAN-2002-1145 

LSAS: 
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0533>CAN-2003-0533





More information about the Snort-users mailing list