RE: [Snort-sigs] Nimda

From: Joe Kinsella <jkinsella(at)silverbacktech.com>
Date: Wed May 28 2003 - 08:52:58 EDT

What I see in my logs on a Nimda attack looks like this:

~/scripts/root.exe
~/MSADC/root.exe
~/c/winnt/system32/cmd.exe
~/d/winnt/system32/cmd.exe
~/scripts/..%255c../winnt/system32/cmd.exe
~/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
~/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
~/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/s
ystem32/cmd.exe
~/scripts/..%c1%1c../winnt/system32/cmd.exe
~/scripts/..%c0%2f../winnt/system32/cmd.exe
~/scripts/..%c0%af../winnt/system32/cmd.exe
~/scripts/..%c1%9c../winnt/system32/cmd.exe
~/scripts/..%%35%63../winnt/system32/cmd.exe
~/scripts/..%%35c../winnt/system32/cmd.exe
~/scripts/..%25%35%63../winnt/system32/cmd.exe

~/scripts/..%252f../winnt/system32/cmd.exe ~/default.ida

Am I right that none of these http requests would be flagged by the defeault Snort rules as an attack? The above is just about identical to the original CERT advisory for Nimda.

Am I missing something? If not, some questions about rule creation: 1) How do I assign sids to my rules? Do I just use the next available id? 2) If I was creating rules for the above signature, would I create one rule for each of the above? Or should I just create three rules (root.exe, cmd.exe and default.ida)?

Thanks in advance.

Joe

-----Original Message-----
From: Nigel Houghton [mailto:nigel.houghton@sourcefire.com] Sent: Tuesday, May 27, 2003 8:10 PM
To: Joe Kinsella
Cc: snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-sigs] Nimda

>From web-client.rules:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT readme.eml download attempt"; flow:from_client,established; uricontent:"/readme.eml"; nocase; classtype:attempted-user; sid:1284; reference:url,www.cert.org/advisories/CA-2001-26.html; rev:9;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT readme.eml autoload attempt"; flow:to_client,established; content:"window.open(\"readme.eml\""; nocase; classtype:attempted-user; sid:1290; reference:url,www.cert.org/advisories/CA-2001-26.html; rev:8;)

Both these rules pertain to the spread of Nimda.

>From tftp.rules:

alert udp any any -> any 69 (msg:"TFTP GET Admin.dll"; content: "|0001|"; offset:0; depth:2; content:"admin.dll"; offset:2; nocase; classtype:successful-admin;
reference:url,www.cert.org/advisories/CA-2001-26.html; sid:1289; rev:2;)

also pertains to the attempt to spread infection.

Further information can be found at:

http://www.snort.org/snort-db/sid.html?sid=1284 http://www.snort.org/snort-db/sid.html?sid=1290

On Tue, 27 May 2003 16:42:00 -0400
Joe Kinsella <jkinsella@silverbacktech.com> said something like:

: I'm new to snort so please forgive me if I am re-treading old ground.
I've
: installed Snort 2.0 on my IIS web server. My web server is also
running
: URLScan to reject specific attacks. One of the attacks I see
frequently
: rejected is Nimda (http://www.cert.org/advisories/CA-2001-26.html).
Snort
: did not flag these HTTP requests as attacks - and I scanned the rule
files
: for a rule that looks like it would have caught Nimda. Since this
worm has
: been around so long, I am assuming a rule MUST be available for this.

---

Nigel Houghton Security Engineer Sourcefire Inc.

"I have read of a place where humans do battle in a ring of Jell-O."

---

This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Wed May 28 10:04:25 2003