Re: [Snort-users] Please post a good Nachi.B Signature
This is a discussion on Re: [Snort-users] Please post a good Nachi.B Signature within the Snort forums, part of the System Security and Security Related category; Dan <sophie_bo@earthlink.net> writes: > * I had already checked the snort sigs mailing list archives to no ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-22-2004
|
|||
|
|||
Re: [Snort-users] Please post a good Nachi.B Signature
Dan <sophie_bo@earthlink.net> writes:
> * I had already checked the snort sigs mailing list archives to no avail. > > * I help secure a 100,000 + node network. The sig for the original Nachi virus worked great. Ouch. We're only at 5,000+ here, and I need all the help I can get to stop viruses. Obviously we use firewall and AV. Here's some info from Symantec: http://securityresponse.symantec.com...ia.b.worm.html Manhunt appears to use the same signature format as snort, so you might be able to track down some stuff from this: "Symantec ManHunt * RPC DCOM This vector is detected by the custom signature, MS RPC DCOM HEAP Overflow, that was released in Security Update 11. * SMB Workstation This vector is detected by the custom signature, SMB Workstation Service Overflow, that was released in Security Update 12. * HTTP WebDAV Symantec ManHunt Protocol Anomaly Detection technology detects the activity associated with this exploit as "HTTP Malformed URL (HTTP_BAD_REQURL5)." An event refinement rule has been released in Security Update 20 to specifically detect this as "HTTP IIS Welchia WebDAV SEARCH BO." * Locator Overflow This vector is detected by the custom signature, MS NETBIOS Locator Service Buffer Overflow, released in Security Update 20." You can also learn a lot from looking at portscan.log - email-borne viruses and those that attempt to connect on 135/445 or whatever show up pretty well. cheers, Jamie -- James Riden / j.riden@massey.ac.nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
