Snort mailing list archives
SNORT sig for Eeye's Nimda Scanner
From: jruff <jruff () nc rr com>
Date: Thu, 20 Sep 2001 09:50:05 -0700 (PDT)
I'm using the following to identify Eeye's Nimda Scanner Tool (bottom) I've placed it in a new rules file along with Eeye's CodeRed Scanner called 'scantools.rules'. This file needs to go at the top of your include list because the Nimda scanner comes in two seperate packets. The second packet not only contains content "eeye", but also uricontent "c+dir" that matches the Nimda rules that are being circulated. The payload of the two packet combo from the Eeye Nimda scanner looks like this: [..SNIP..] =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/20-12:30:42.535883 130.110.93.31:4802 -> 130.110.90.78:80 TCP TTL:127 TOS:0x0 ID:44931 IpLen:20 DgmLen:94 DF ***AP*** Seq: 0xDE3430A1 Ack: 0xD1EA7920 Win: 0x4510 TcpLen: 20 48 45 41 44 20 2F 20 48 54 54 50 2F 31 2E 31 0A HEAD / HTTP/1.1. 48 6F 73 74 3A 20 65 65 79 65 0D 0A 43 6F 6E 6E Host: eeye..Conn 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 ection: Keep-Ali 76 65 0D 0A 0D 0A ve.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/20-12:30:42.731751 130.110.93.31:4802 -> 130.110.90.78:80 TCP TTL:127 TOS:0x0 ID:44933 IpLen:20 DgmLen:200 DF ***AP*** Seq: 0xDE3430D7 Ack: 0xD1EA7A32 Win: 0x43FE TcpLen: 20 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 35 63 2E 2E 25 35 63 2E 2E 25 35 63 2E 2E 25 35 5c..%5c..%5c..%5 63 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F cwinnt/system32/ 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72 20 48 cmd.exe?/c+dir H 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 65 TTP/1.1..Host: e 65 79 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A eye..User-Agent: 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F Mozilla/4.0 (co 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 35 mpatible; MSIE 5 2E 30 31 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 .01; Windows NT 35 2E 30 29 0D 0A 0D 0A 35 2E 30 29 0D 0A 0D 0A 5.0)....5.0).... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [..END SNIP..] I'm also using a custom classtype in my 'classification.config' file for these scanning tools. Here is entry from my 'classification.config' file: [..SNIP..] config classification: scan-detect-tool,Vulnerability Scan Detection Tool,0 [..END SNIP..] CONTENTS OF MY scantools.rules FILE: [..SNIP..] #For eEye's Code Red scanner: #---------- alert tcp any any -> any 80 (msg: "Eeye Scanner for CodeRed"; dsize:239; flags: A+; content:"|2F782e69 64613f41 41414141|"; depth:64; classtype: scan-detect-tool; priority: 0;) #For Eeye's Nimda Scanner: #---------- alert tcp any any -> any 80 (msg: "Eeye Scanner for Nimda"; content:"eeye"; nocase; flags:A+; classtype: scan-detect-tool; priority: 0;) [..END SNIP..] Best Regards, John _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SNORT sig for Eeye's Nimda Scanner jruff (Sep 20)
- <Possible follow-ups>
- SNORT sig for Eeye's Nimda Scanner jruff (Sep 20)
- SNORT sig for Eeye's Nimda Scanner jruff (Sep 20)