OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mark E (mjeWIN2000MAG.COM)
Date: Fri Sep 21 2001 - 08:09:47 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    From: http://www.snort.org/article.html?id=31

    ====

    Everyone and their brother has put out an advisory on NIMDA, the latest worm
    to thrash IExplore, Outlook Express, and IIS. This worm does a number of
    cute things that are well documented in the SANS advisory available here.

    Snort 1.8.1 included signatures to detect most of the attacks used by NIMDA
    already, but just incase you need a refresher the signatures are included
    here.

    alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \
    (msg:"WEB-IIS multiple decode attempt"; \
    flags:A+; uricontent:"%5c"; uricontent:".."; \
    reference:cve,CAN-2001-0333; \
    classtype:attempted-user; sid:970; rev:2;)

    alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \
    (msg:"WEB-IIS msdac access"; \
    flags:A+; uricontent:"/msdac/"; nocase; \
    classtype:bad-unknown; sid:1285; rev:1;)

    alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \
    (msg:"WEB-IIS _mem_bin access"; \
    flags:A+; uricontent:"/_mem_bin/"; nocase; \
    classtype:bad-unknown; sid:1286; rev:1;)

    alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \
    (msg:"WEB-IIS scripts access"; \
    flags:A+; uricontent:"/scripts/"; nocase; \
    classtype:bad-unknown; sid:1287; rev:1;)

    alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \
    (msg:"WEB-IIS cmd.exe access"; \
    flags: A+; content:"cmd.exe"; nocase; \
    classtype:attempted-user; sid:1002; rev:1;)

    alert udp any any -> any 69 \
    (msg:"TFTP GET Admin.dll"; \
    content: "|41 64 6D 69 6E 2E 64 6C 6C 00 6F 63 74 65 74|"; \
    classtype:successful-admin; sid:1289; rev:1; \
    reference:url,www.cert.org/advisories/CA-2001-26.html;)

    alert tcp $EXTERNAL_NET 80 -> $HOME_NET any \
    (msg:"WEB-MISC readme.eml autoload attempt"; \
    flags:A+; content:"window.open(\"readme.eml\""; nocase; \
    classtype:attempted-user; sid:1290; rev:2; \
    reference:url,www.cert.org/advisories/CA-2001-26.html;)

    alert tcp $EXTERNAL_NET 80 -> $HOME_NET any \
    (msg:"WEB-MISC readme.eml attempt"; \
    flags:A+; uricontent:"readme.eml"; nocase; \
    classtype:attempted-user; sid:1284; rev:3; \
    reference:url,www.cert.org/advisories/CA-2001-26.html;)

    alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \
    (msg:"WEB-FRONTPAGE /_vti_bin/ access";flags: A+; \
    uricontent:"/_vti_bin/"; nocase; classtype:bad-unknown; \
    sid:1288; rev:1;)

    _____________________________________________________________________
    ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
    ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
    SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net