|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
[Snort-sigs] Re: [ISSForum] Witty signature
From: Sergey V Soldatov <SVSoldatov(at)tnk.ru>
Date: Thu Mar 25 2004 - 08:45:59 EST
Date: Thu Mar 25 2004 - 08:45:59 EST
I find another signature... It uses more long content, so more exact. Isn't it?
alert udp any 4000:5000 -> any any (msg:"Witty Initial Traffic";content:" |29202020202020696e73657274207769747479206d6573736167652068657265|";rev:1;)
Source port restriction may be removed.
---
Best regards, Sergey V. Soldatov.
todb@planb-security.net
Sent by: To: snort-sigs@lists.sourceforge.net, issforum@iss.net
issforum-bounces@iss.net cc:
Subject: [ISSForum] Witty signature
20.03.2004 14:17
Pretty easy one:
alert udp any 4000 -> any any (msg:"ISS RealSecure or BlackICE Witty
Infection Attempt"; content:"|20 20 20 20 20
20|insert.witty.message.here"; depth:146; classtype:trojan-activity;
reference:url,
http://xforce.iss.net/xforce/alerts/id/166; sid:1111001;
rev:1;)
Mostly useful for the Trons crowd (drop disallowed Trons fields
accordingly).
--
Tod Beardsley
www.planb-security.net
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.
http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Received on Mon Mar 29 09:00:29 2004
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:39 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |