[unisog] TCPDUMP/PCAP signature for W32.Witty worm

Andreas Östling andreaso at it.su.se
Tue Mar 23 08:58:27 GMT 2004

If anyone running Snort missed this, SIDs 2243-2246 were released a while ago 
that look for the actual security flaw being exploited instead of for the 
worm specifically. Probably useful to catch both worm and non-worm 


On Monday 22 March 2004 21:10, Stephen Bernard wrote:
> In particular, this looks for UDP packets with a source port of 4000 and
> a destination port > 1024 that contain the string "insert.witty"
> starting at byte 131 of the data portion of the datagram. I don't bother
> looking for the whole "insert.witty.message.here" string because what
> I've got works with less processing. This example does not filter the
> source or destination network.

More information about the unisog mailing list