[Dshield] Fwd: [Snort-sigs] W32.Bugbear.B@mm Signature

Deb Hale haled at pionet.net
Fri Jun 6 18:36:42 GMT 2003


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

How About "I'd Rather be paranoid than Unemployed"  :)

Deborah F Hale
Certified Business Continuity Professional/Computer Security
Specialist
BCP Enterprise, Inc
Telephone: (712) 252-0361
www.bcpenterprise.com
 


- -----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf Of Mark Tombaugh
Sent: Friday, June 06, 2003 12:54 PM
To: list at dshield.org
Subject: [Dshield] Fwd: [Snort-sigs] W32.Bugbear.B at mm Signature


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Havent tested this, but I do have it in place..no alerts yet..no complaints 
either..Is Bugbear limited to tcp 139 like this sig is?

PS - i assume paranoid people dont sleep well at night. I do this so I can...

- - ----------  Forwarded Message  ----------

Subject: [Snort-sigs] W32.Bugbear.B at mm Signature
Date: Friday 06 June 2003 8:58 am
From: Tinsley Paul <Paul.Tinsley at HCAhealthcare.com>
To: "'snort-sigs at lists.sourceforge.net'"  <snort-sigs at lists.sourceforge.net>

Bugbear seems to be a mean one, I ran across this signature on Symantec's site.  Figured I would pass this along incase anybody needed it.

alert tcp any any -> any 139 (msg:"BugBear B Network Worm Propagation"; content:"|0B010600002001000010000000E006002001080000F00600001008000000400000
1000000002000004000000000000000400000000000000002008000010000000000000020000
0000001000001000000000100000100000000000001000000000000000000000000010080064
010000000000000000000000000000000000000000000000000000641108000C|";
content:"|555058300000000000E0060000100000|"; classtype:misc-activity; sid:900019; rev:1;)

Thanks,
Paul Tinsley
Senior Security Engineer
Security Assurance
2555 Park Plaza, DC-3N
Nashville, TN 37075
Office: (615) 344-6403
Pager: (615) 960-7766 or paul.tinsley at my2way.com
Cell:    (615) 973-5353
mailto:paul.tinsley at hcahealthcare.com



- - -------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-sigs

- - -------------------------------------------------------

- - -- 
   Mark Tombaugh <mtombaugh at alliedcc.com>
   Allied Computer Corporation <http://www.alliedcc.com>
   USiHOST, iNC. <http://www.usihost.com>
     
   PGP: <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE4149F0D>
                BCF2 2DB6 D739 DA53 F67A  E764 A3C5 60CA E414 9F0D
	            
   **********************************************************************
   The message is for the use of the intended recipient only. It may
   contain information that is privileged and confidential. If you are not
   the intended recipient of this message, any disclosure, copying,
   distribution, or use thereof is prohibited.
   
   If you have received this message in error, please delete or notify me
   by returning the message to <mtombaugh at alliedcc.com>
   **********************************************************************
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+4NU4o8VgyuQUnw0RAnxnAJ49tSuhdGAlRyYAOLkalrYGvNej/ACdEYXM
XCBok/IYABAjFG7rcX22Tto=
=ZnK0
- -----END PGP SIGNATURE-----

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPuDfOTxOOHZjYde8EQLZlwCgom0Ji9DSSZjUm8LyKCsYj3WXSs8AoNr0
poxrQmB5vrxIkbkKYFJjnncY
=Q30H
-----END PGP SIGNATURE-----





More information about the list mailing list