[unisog] TCPDUMP/PCAP signature for W32.Witty worm
andreaso at it.su.se
Tue Mar 23 08:58:27 GMT 2004
If anyone running Snort missed this, SIDs 2243-2246 were released a while ago
that look for the actual security flaw being exploited instead of for the
worm specifically. Probably useful to catch both worm and non-worm
On Monday 22 March 2004 21:10, Stephen Bernard wrote:
> In particular, this looks for UDP packets with a source port of 4000 and
> a destination port > 1024 that contain the string "insert.witty"
> starting at byte 131 of the data portion of the datagram. I don't bother
> looking for the whole "insert.witty.message.here" string because what
> I've got works with less processing. This example does not filter the
> source or destination network.
More information about the unisog