[Dshield] Fwd: [Snort-sigs] W32.Bugbear.B@mm Signature

Mark Tombaugh mtombaugh at alliedcc.com
Fri Jun 6 17:53:57 GMT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Havent tested this, but I do have it in place..no alerts yet..no complaints 
either..Is Bugbear limited to tcp 139 like this sig is?

PS - i assume paranoid people dont sleep well at night. I do this so I can...

- ----------  Forwarded Message  ----------

Subject: [Snort-sigs] W32.Bugbear.B at mm Signature
Date: Friday 06 June 2003 8:58 am
From: Tinsley Paul <Paul.Tinsley at HCAhealthcare.com>
To: "'snort-sigs at lists.sourceforge.net'"  <snort-sigs at lists.sourceforge.net>

Bugbear seems to be a mean one, I ran across this signature on Symantec's
site.  Figured I would pass this along incase anybody needed it.

alert tcp any any -> any 139 (msg:"BugBear B Network Worm Propagation";
content:"|0B010600002001000010000000E006002001080000F00600001008000000400000
1000000002000004000000000000000400000000000000002008000010000000000000020000
0000001000001000000000100000100000000000001000000000000000000000000010080064
010000000000000000000000000000000000000000000000000000641108000C|";
content:"|555058300000000000E0060000100000|"; classtype:misc-activity;
sid:900019; rev:1;)

Thanks,
Paul Tinsley
Senior Security Engineer
Security Assurance
2555 Park Plaza, DC-3N
Nashville, TN 37075
Office: (615) 344-6403
Pager: (615) 960-7766 or paul.tinsley at my2way.com
Cell:    (615) 973-5353
mailto:paul.tinsley at hcahealthcare.com



- -------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

- -------------------------------------------------------

- -- 
   Mark Tombaugh <mtombaugh at alliedcc.com>
   Allied Computer Corporation <http://www.alliedcc.com>
   USiHOST, iNC. <http://www.usihost.com>
     
   PGP: <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE4149F0D>
                BCF2 2DB6 D739 DA53 F67A  E764 A3C5 60CA E414 9F0D
	            
   **********************************************************************
   The message is for the use of the intended recipient only. It may
   contain information that is privileged and confidential. If you are not
   the intended recipient of this message, any disclosure, copying,
   distribution, or use thereof is prohibited.
   
   If you have received this message in error, please delete or notify me
   by returning the message to <mtombaugh at alliedcc.com>
   **********************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+4NU4o8VgyuQUnw0RAnxnAJ49tSuhdGAlRyYAOLkalrYGvNej/ACdEYXM
XCBok/IYABAjFG7rcX22Tto=
=ZnK0
-----END PGP SIGNATURE-----




More information about the list mailing list