GROUP_NAME=MISC_LIGHT GROUP_DESCRIPTION=This group contains a few custom Dragon NIDS signatures which should be fairly low-CPU-cost, and high-value. # $Id: MISC_LIGHT.lib,v 1.19 2006/05/19 15:10:31 hlein Exp $ NAME=FTP:CWD-TILDE-1 SIGNATURE=T D A S 100 200 21 FTP:CWD-TILDE-1 cwd/20/7f/0a DESCRIPTION=Sun Solaris' FTP servers have a vulnerability where a 'CWD ~' before the user has logged in will cause a segfault and a core dump in / containing fragments of the shadow file. This signature looks for 'CWD ~\n', which is evidence of someone using a tool such as netcat to connect to the FTP server port--normal ftp clients (and telnet) will send '\r\n' as line terminators. EVENTGROUP=ATTACKS CVE=CAN-2001-0421 BUGTRAQ=2601 MODIFIED=Y DISABLED=N NAME=WEB:NETSCAPE-WP-CS-DUMP SIGNATURE=T D A S 30 100 W WEB:NETSCAPE-WP-CS-DUMP /2f/3fwp/2dcs/2ddump DESCRIPTION=Netscape webservers have 'Directory browsing' enabled by default. Unless it is disabled, a query of 'http://www.example.com/?wp-cs-dump' will dump a directory index, even if a default index.html or similar file exists in /. This applies to subdirectories as well. EVENTGROUP=SUSPICIOUS CVE=CVE-2000-0236 BUGTRAQ=1063 MODIFIED=Y DISABLED=N NAME=TEL:TTYPROMPT2 SIGNATURE=T D A B 100 400 23 TEL:TTYPROMPT2 /ff/fa/27/00 , /00TTYPROMPT/01 DESCRIPTION=Solaris telnet / login has a bug in the handling of the TTYPROMPT telnet variable. If TTYPROMPT is set to a six-character string, and then a username is passed with additional arguments which are taken as additional environment variables, the attacker will be logged in as that user without being prompted for a password. Note that two different byte-patterns have been seen for successful TTYPROMPT-based attacks. Enterasys has a TTYPROMPT signature which will catch one of them; this signature catches the other. MODIFIED=Y DISABLED=N NAME=TFTP:GET-BAT SIGNATURE=U D A S 100 40 69 TFTP:GET-BAT /00/01 , /2ebat DESCRIPTION=An easy way for attackers to install tools on a compromised machine is to TFTP them from an existing server. This signature looks for any TFTP requests for .bat files, which should normally be very uncommon. MODIFIED=Y DISABLED=N NAME=TFTP:GET-EXE SIGNATURE=U D A S 100 40 69 TFTP:GET-EXE /00/01 , /2eexe DESCRIPTION=An easy way for attackers to install tools on a compromised machine is to TFTP them from an existing server. This signature looks for any TFTP requests for .exe files, which should normally be very uncommon. MODIFIED=Y DISABLED=N NAME=TFTP:GET-ZIP SIGNATURE=U D A S 100 40 69 TFTP:GET-ZIP /00/01 , /2ezip DESCRIPTION=An easy way for attackers to install tools on a compromised machine is to TFTP them from an existing server. This signature looks for any TFTP requests for .zip files, which should normally be very uncommon. MODIFIED=Y DISABLED=N NAME=TFTP:GET-RAR SIGNATURE=U D A S 100 40 69 TFTP:GET-RAR /00/01 , /2erar DESCRIPTION=An easy way for attackers to install tools on a compromised machine is to TFTP them from an existing server. This signature looks for any TFTP requests for .rar files, which should normally be very uncommon. MODIFIED=Y DISABLED=N NAME=SMTP:SOBIG-WORM SIGNATURE=T D A B 5 0 25 SMTP:SOBIG-WORM X/2dMailScanner/3a/20Found/20to/20be/20clean , /2epif/22 DESCRIPTION=On 2003-08-19 a new worm named WORM_SOBIG.F (known aliases are Win32.HLLM.Reteras) began to proliferate on a large scale. It consists of an email attachment .pif file, and contains various forged mail headers. It harvests email addresses from files on the system and mass-mails itself to all addresses found, with From addresses forged from the list of addresses found. It adds registry keys so that it will be restarted automatically upon system reboot. It is not particularly destructive, but is spreading quite rapidly and may bog down large mail hubs, etc. URLREF=http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F EVENTGROUP=VIRUS MODIFIED=Y DISABLED=N NAME=TFTP:MSBLAST-WORM SIGNATURE=U D A S 10 40 69 TFTP:MSBLAST-WORM /00/01msblast/2eexe/00octet/00 DESCRIPTION=A worm is spreading using the MS RPC DCOM vulnerability MS2003-026. It is spreading by TFTPing the file msblast.exe around, this signature should trigger when that file is transferred. MODIFIED=Y DISABLED=N NAME=W32.MIMAIL.C-WORM SIGNATURE=T D A B 5 0 25 W32.MIMAIL.C-WORM Re/5b2/5d/3a/20our/20private/20photos , name=/22photos/2ezip/22 DESCRIPTION=Reports are on the rise of a new variant of the mimail virus. This spreads by propagating a malicious .EXE file named photos.jpg.exe zipped inside the attached file photos.zip. On infecting a machine it scans files for other addresses to send itself to, sends some file contents (documents, etc) to addresses in the gmx.net and mail15.com domains, and performs a TCP and ICMP denial of service attack against darkprofit.net and darkprofit.com sites. This signature looks for emails with the subject and file-attachment characteristic of the worm. It may false-positive on emails discussing the worm. URLREF=http://www.symantec.com/avcenter/venc/data/w32.mimail.c@mm.html URLREF=http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100795 MODIFIED=Y DISABLED=N NAME=WEB:PHP-CGI-LS SIGNATURE=T D A S 30 100 W WEB:PHP-CGI-LS /2fcgi/2dbin/2fphp.cgi/3f/2fls/2520/2dal DESCRIPTION=On 2004-01-09 some sites began getting requests for '/cgi-bin/php.cgi?/ls%20-al' (a common vulnerability for misconfigured webservers with PHP support) from a wide range of source IP addresses. It is not yet known if this is part of a distributed scan, a new worm, etc. EVENTGROUP=ATTACKS MODIFIED=Y DISABLED=N NAME=SMTP:COM-ATTACH SIGNATURE=T D A B 1 0 25 SMTP:COM-ATTACH Content/2dDisposition/3a/20attachment/3b , /2ecom/22/0d/0a DESCRIPTION=Many viruses and worms attempt to spread using email attachments with extensions such as EXE, COM, VBS, LNK, PIF, SCR, or BAT. Examples of such mass mailing worms include W32.BadTrans, W32.Sobig, and W32.Lovgate. You should run and maintain antivirus software and use email attachment blocking to detect and delete these attachments. You should also disable or secure network shares as many of these worms also attempt to use network shares for propagation. CERT=IN-2003-01 MODIFIED=Y DISABLED=N UPDATED=N NAME=SMTP:BAT-ATTACH SIGNATURE=T D A B 1 0 25 SMTP:BAT-ATTACH Content/2dDisposition/3a/20attachment/3b , /2ebat/22/0d/0a DESCRIPTION=Many viruses and worms attempt to spread using email attachments with extensions such as EXE, COM, VBS, LNK, PIF, SCR, or BAT. Examples of such mass mailing worms include W32.Novarg/Mimail.R, W32.BadTrans, W32.Sobig, and W32.Lovgate. You should run and maintain antivirus software and use email attachment blocking to detect and delete these attachments. You should also disable or secure network shares as many of these worms also attempt to use network shares for propagation. CERT=IN-2003-01 MODIFIED=Y DISABLED=N UPDATED=N NAME=SMTP:CPL-ATTACH SIGNATURE=T D A B 1 0 25 SMTP:CPL-ATTACH Content/2dDisposition/3a/20attachment/3b , /2ecpl/22/0d/0a DESCRIPTION=Many viruses and worms attempt to spread using email attachments with extensions such as CPL, EXE, COM, VBS, LNK, PIF, SCR, or BAT. Examples of such mass mailing worms include Bagle, W32.Novarg/Mimail.R, W32.BadTrans, W32.Sobig, and W32.Lovgate. You should run and maintain antivirus software and use email attachment blocking to detect and delete these attachments. You should also disable or secure network shares as many of these worms also attempt to use network shares for propagation. CERT=IN-2003-01 MODIFIED=Y DISABLED=N UPDATED=N NAME=SMTP:CMD-ATTACH SIGNATURE=T D A B 1 0 25 SMTP:CMD-ATTACH Content/2dDisposition/3a/20attachment/3b , /2ecmd/22/0d/0a DESCRIPTION=Many viruses and worms attempt to spread using email attachments with extensions such as EXE, COM, VBS, LNK, PIF, SCR, or BAT. Examples of such mass mailing worms include W32.Novarg/Mimail.R, W32.BadTrans, W32.Sobig, and W32.Lovgate. You should run and maintain antivirus software and use email attachment blocking to detect and delete these attachments. You should also disable or secure network shares as many of these worms also attempt to use network shares for propagation. CERT=IN-2003-01 MODIFIED=Y DISABLED=N UPDATED=N NAME=WORM:DOOM-WINEXE SIGNATURE=T D A B 5 0 3127 WORM:DOOM-WINEXE This/20program/20must/20be/20run/20under/20Win32 DESCRIPTION=In 2004-02-09 reports began of a new worm which scans for systems which have been compromised by the MyDoom worms, and uses the backdoor that MyDoom starts on TCP port 3127 to propagate itself. Doomjuice spreads this way, and also includes a DDoS of www.microsoft.com, which starts slow until the 12th of the month and then unleashes full-force. URL=http://www.viruslist.com/eng/alert.html?id=930701 MODIFIED=Y DISABLED=N NAME=COMP:TROJANSPY-KEYLOGGER SIGNATURE=T D A B 100 0 25 COMP:TROJANSPY-KEYLOGGER /0d/0aSubject:/20Keylog/20From/20/28 DESCRIPTION=Trojanspy (aka TrojanSpy.Agent.D, TrojanSpy.Win32.Keylogger.aa, Keylog-Stawin.dll, etc) is a trojan which is being actively disseminated via email. It apparently logs keystrokes, and uploads them in periodic emails to a mail.ru address. The original Trojanspy versions recorded keystrokes for Web browser sessions connecting to various online banking sites; the current variants may do the same, or may harvest some different information. URL=http://vil.nai.com/vil/content/v_100985.htm MODIFIED=Y DISABLED=N NAME=SMTP:BAGLE-WORM SIGNATURE=T D A B 5 0 25 SMTP:BAGLE-WORM /0d/0aYours/20ID/20 , Content/2dType/3a/20application/2fx/2dmsdownload/3b/20name/3d/22 DESCRIPTION=Another day another email worm. Bagle.B (aka Tanx-A, W32.Alua@mm, etc) spreads by emailing itself as an .exe file attachment with the subject 'ID ... thanks'. Upon execution it scans for addresses to replicate itself to, and opens a backdoor listener on TCP port 8866. URL=http://www.sophos.com/virusinfo/analyses/w32tanxa.html URL=http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.B MODIFIED=Y DISABLED=N NAME=BACKDOOR:BAGLE-WORM SIGNATURE=T D A B 5 0 8866 BACKDOOR:BAGLE-WORM This/20program/20cannot/20be/20run/20in/20DOS/20mode DESCRIPTION=The Bagle email worm creates a backdoor listener on TCP port 8866. It is not yet clear what protocol is used by the backdoor listener, but if it is similar to that used by Doomjuice, it will accept and run uploaded files. If so, this signature may catch uploaded programs. URL=http://www.sophos.com/virusinfo/analyses/w32tanxa.html URL=http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.B MODIFIED=Y DISABLED=N NAME=WEB:GET-CAB SIGNATURE=T D A S 10 150 W WEB:GET-CAB get/20/2f , /2ecab/20http/2f1 DESCRIPTION=Signature to capture HTTP GET requests for .CAB files. This will generate some noise (particularly for Windows Update downloads), but it also catches the majority of malware (adware/spyware) being installed or updated on a victim box. MODIFIED=Y DISABLED=N UPDATED=N NAME=WEB:GET-EXE SIGNATURE=T D A S 10 150 W WEB:GET-EXE get/20/2f , /2eexe/20http/2f1 DESCRIPTION=Signature to capture HTTP GET requests for .EXE files. This will generate some noise (particularly for Windows Update downloads), but it also catches the majority of malware (adware/spyware) being installed or updated on a victim box. MODIFIED=Y DISABLED=N UPDATED=N NAME=WEB:GET-RAR SIGNATURE=T D A S 10 150 W WEB:GET-RAR get/20/2f , /2erar/20http/2f1 DESCRIPTION=Signature to capture HTTP GET requests for .RAR files. RAR-compressed files aren't necessarily bad, but they are fairly uncommon, used often as a way to transfer malicious payload, so are worth investigating. MODIFIED=Y DISABLED=N UPDATED=N NAME=ISS:OVERFLOW-ICQ SIGNATURE=U S A B 5 0 4000 ISS:OVERFLOW-ICQ /3c1/c9Qhel32hkernT/3e , 1/c9QhounthickChGetTTP/3e/ff DESCRIPTION=Many ISS products suffer from a buffer overflow vulnerability that can be exploited even when the system is passively monitoring traffic on a network. BlackIce, a personal IDS/firewall product for Windows systems, is vulnerable up to version 3.6ccf; version 3.6ccg is fixed. The vulnerability can be exploited by sending a single UDP packet crafted to look like an ICQ chat message, but malformed in such a way as to crash the IDS engine and run arbitrary malicious code. A worm began propagating on 2004-03-19 taking advantage of this vulnerability. This signature is an attempt to abstract some of the exploit details out of that worm (there may be other ways to exploit the vulnerability that this singature does not catch). URL=http://xforce.iss.net/xforce/alerts/id/166 URL=http://securityresponse.symantec.com/avcenter/venc/data/w32.witty.worm.html URL=http://www.f-secure.com/v-descs/witty.shtml MODIFIED=Y DISABLED=N NAME=WORM:ISS-ICQ-WITTY SIGNATURE=U S A B 5 250 4000 WORM:ISS-ICQ-WITTY /20/20insert/20witty/20message/20here/2e/20/20/20/20/20/20/28/5e/2e/5e/29/20 DESCRIPTION=Many ISS products suffer from a buffer overflow vulnerability that can be exploited even when the system is passively monitoring traffic on a network. BlackIce, a personal IDS/firewall product for Windows systems, is vulnerable up to version 3.6ccf; version 3.6ccg is fixed. The vulnerability can be exploited by sending a single UDP packet crafted to look like an ICQ chat message, but malformed in such a way as to crash the IDS engine and run arbitrary malicious code. A worm began propagating on 2004-03-19 taking advantage of this vulnerability. This signature detects some strings embedded in this worm, the "Witty worm". URL=http://xforce.iss.net/xforce/alerts/id/166 URL=http://securityresponse.symantec.com/avcenter/venc/data/w32.witty.worm.html URL=http://www.f-secure.com/v-descs/witty.shtml MODIFIED=Y DISABLED=N NAME=PHP:REMOTE-PAGE-PHP SIGNATURE=T D T S 10 30 W PHP:REMOTE-PAGE-PHP /2ephp , page/3dhttp DESCRIPTION=Detects attemps to embed remote php code in a local server via the page environment variable. Contributed by Jordan Wiens. MODIFIED=Y DISABLED=N NAME=PHP:REMOTE-PAGE-PHTML SIGNATURE=T D T S 10 30 W PHP:REMOTE-PAGE-PHTML /2ephtml , page/3dhttp DESCRIPTION=Detects attemps to embed remote php code in a local server via the page environment variable. Contributed by Jordan Wiens. MODIFIED=Y DISABLED=N NAME=PHATBOT:FTP SIGNATURE=T S A B 40 100 A PHATBOT:FTP 221/20Goodbye,/20have/20a/20good/20infection/20/3a/29/2e/0d/0a DESCRIPTION=Phatbot is a trojan/backdoor that attempts to spread itself via a number of Windows-based vulnerabilities. Because of this, you may also notice a small spike in some of the more successful Win vulnerabilities such as DCOM, WebDav, DameWare, or the Locator Service (among others). In addition to all the popular DDoS tool functionalities, the too can also run various protocol redirectors and proxies, in addition to password stealers. This event detects a characteristic string in the FTP server embeded in PhatBot, which it uses to propagate itself to newly infected machines. The source address is an infected machine, and the destination address has probably just been infected. This signature based on a Snort signature posted by Lurhq. URL=http://www.lurhq.com/phatbot.html MODIFIED=Y DISABLED=N NAME=SMB:DCOM-OVERFLOW-1025 SIGNATURE=T D A B 400 0 1025 SMB:DCOM-OVERFLOW-1025 /5c/00/43/00/24/00/5c/00*/00*/00*/00*/00*/00*/00*/00*/00*/00*/00*/00*/00*/00*/00*/00*/00*/00*/00*/00* , /01/10/08/00/cc/cc/cc/cc DESCRIPTION=A vulnerability exists that affects all currently shipping versions of Windows described by the CERT links referenced below. In less than a week after CERT advisories, many variations of exploits for the vulnerability have started circulating, with discussion about potential worms. This signature looks for the known attacks on TCP port 1025, rather than TCP port 135. This indicates that Dragon has detected a request that matches some of the prerequisites for successful exploitation of this vulnerability including long file names in specific UNC (Universal Naming Convention) path requests and the presence of certain types of data. The signature does not log many packets since most of the successful exploits for this vulnerability have opened command channels in separate data streams. If you do see an application layer reply to this request from the client, then the attack was probably not successful. CVE=CAN-2003-0352 BUGTRAQ=8234 CERT=CA-2003-16 MODIFIED=Y DISABLED=N NAME=SMB:GENERIC-EXCODE-1025 SIGNATURE=T D A B 200 0 1025 SMB:GENERIC-EXCODE-1025 /01/10/08/00/cc/cc/cc/cc/50/00/00/00/4f/b6/88/20/ff/ff/ff DESCRIPTION=Shortly following the vulnerability in DCOM that affected most of the publicly deployed versions of Windows, and the ensuing onslaught of exploits and worms for that vuln, a related vulnerability has been announced by Microsoft. In anticipation for a similar devastating effect, the Dragon Analysis and Response Team is releasing this signature less than 24 hours after the initial announcement. This alert indicates that Dragon has encountered traffic that appears to be an exploit for this vulnerability based on our early research. This signature triggers on code that has recently started appearing in several different exploits for all the MS SMB vulnerabilities made public in the August/September 2003 timeframe, sent over TCP port 1025 instead of port 135. CVE=CAN-2003-0715 BUGTRAQ=8460 CERT=CA-2003-23 MODIFIED=Y DISABLED=N NAME=BETA:SMB:POST-1025 SIGNATURE=T D A B 400 110 1025 BETA:SMB:POST-1025 /00/41/00/41/00/5c/00/43/00/24/00/5c/00/41/00/2e/00/74/00/78/00/74 DESCRIPTION=Discussions have been circling about a new vulnerability in Windows SMB/DCOM service that is not addressed by the most current patch (MS03-039) for DCOM weaknesses. This signature watches for these possible exploit attempts on TCP port 1025, rather than the usual TCP port 135. EVENTGROUP=ATTACKS MODIFIED=Y DISABLED=N NAME=BOBAX:PHONEHOME SIGNATURE=T D A S 10 30 80 BOBAX:PHONEHOME get/20/2freg/3fu/3d , /26v/3d DESCRIPTION=Bobax is a recently discovered spam-based trojan. This sig detects attempts by an infected user to 'phone home'. Signature contributed by Jordan Wiens. URL=http://www.lurhq.com/bobax.html MODIFIED=Y DISABLED=N NAME=WARFTPD:BAD-LOGIN SIGNATURE=T S A S 25 35 21 WARFTPD:BAD-LOGIN 530/20password/20not/20accepted DESCRIPTION=Checks for a bad FTP login to a War FTP Daemon. Contributed by Pete Schuyler. MODIFIED=Y DISABLED=N NAME=WORM:LSASS-BLING-FTP SIGNATURE=T D A S 10 0 7180 WORM:LSASS-BLING-FTP retr/20bling/2eexe/0d/0a DESCRIPTION=The bling worm exploits a vulnerability in Microsoft Windows 2000 (at least) in the LSASS.EXE service. Sasser worm exploits a vulnerability in Microsoft Windows 2000 and XP systems in the LSASS.EXE service. LSASS can be accessed on TCP ports 135, 139, 445, 593, and 1025, and UDP ports 135, 137, 138, and 445, although this worm seems to only target TCP port 445. This signature detects an FTP session that the worm infection uses to propagate itself. MODIFIED=Y DISABLED=N NAME=WORM:LSASS-BLING-CMD SIGNATURE=T D A S 10 0 44445 WORM:LSASS-BLING-CMD echo/20get/20bling/2eexe DESCRIPTION=The bling worm exploits a vulnerability in Microsoft Windows 2000 (at least) in the LSASS.EXE service. Sasser worm exploits a vulnerability in Microsoft Windows 2000 and XP systems in the LSASS.EXE service. LSASS can be accessed on TCP ports 135, 139, 445, 593, and 1025, and UDP ports 135, 137, 138, and 445, although this worm seems to only target TCP port 445. This signature detects a remote command-prompt that the worm infection uses to propagate itself. MODIFIED=Y DISABLED=N NAME=BACKDOOR:STNYFTPD SIGNATURE=T S A B 40 14 A BACKDOOR:STNYFTPD 220/20StnyFtpd DESCRIPTION=StnyFtpd is a backdoor FTP server used by various worms/trojans (bling.exe at least). Typically an attacking machine will run a StnyFtpd instance, and once it compromises a victim it will instruct that victim to download a copy of the malware/worm from the StnyFtpd server. So, this event triggering indicates that a machine has already been compromised, and is phoning home to download and run the worm, successfully spreading the infection. MODIFIED=Y DISABLED=N UPDATED=N NAME=BACKDOOR:FTPDOWNS SIGNATURE=T B A S 40 20 H BACKDOOR:FTPDOWNS 220/20 , ftpd/200wns/20j0 DESCRIPTION=A backdoor FTP server on a high port is used by various worms/trojans (bling.exe, KIBUV, etc at least). Typically an attacking machine will run an ftpd instance, and once it compromises a victim it will instruct that victim to download a copy of the malware/worm from the ftp server. So, this event triggering indicates that a machine has already been compromised, and is phoning home to download and run the worm, successfully spreading the infection. MODIFIED=Y DISABLED=N UPDATED=N NAME=BACKDOOR:RANDRECO SIGNATURE=T D A S 10 250 W BACKDOOR:RANDRECO get/20/2f , randreco/2eexe/20http/2f1 DESCRIPTION=Randreco is a common piece of malicious adware/spyware. This signature detects randreco.exe being downloaded from a website. Most likely, the source machine is already infected. MODIFIED=Y DISABLED=N UPDATED=N NAME=FTP:GET-EXE SIGNATURE=T D A S 20 100 21 FTP:GET-EXE retr/20 , /2eexe/0d/0a DESCRIPTION=This signature detects FTP transfers of .EXE files. In some environments this may happen frequently, but in most networks they should be fairly rare, and worthy of note. MODIFIED=Y DISABLED=N UPDATED=N NAME=FTP:GET-BAT SIGNATURE=T D A S 20 100 21 FTP:GET-BAT retr/20 , /2ebat/0d/0a DESCRIPTION=This signature detects FTP transfers of .BAT files. In some environments this may happen frequently, but in most networks they should be fairly rare, and worthy of note. MODIFIED=Y DISABLED=N UPDATED=N NAME=FTP:GET-CMD SIGNATURE=T D A S 20 100 21 FTP:GET-CMD retr/20 , /2ecmd/0d/0a DESCRIPTION=This signature detects FTP transfers of .CMD files. In some environments this may happen frequently, but in most networks they should be fairly rare, and worthy of note. MODIFIED=Y DISABLED=N UPDATED=N NAME=FTP:GET-DLL SIGNATURE=T D A S 20 100 21 FTP:GET-DLL retr/20 , /2edll/0d/0a DESCRIPTION=This signature detects FTP transfers of .DLL files. In some environments this may happen frequently, but in most networks they should be fairly rare, and worthy of note. MODIFIED=Y DISABLED=N UPDATED=N NAME=WORM:BOFRA-WEBSERVER-1639 SIGNATURE=T D A S 900 250 1639 WORM:BOFRA-WEBSERVER-1639 get/20/2f , /20http/2f1 DESCRIPTION=A newly released worm uses the new, unpatched Microsoft IE EMBED/FRAME/IFRAME vulnerability to compromise systems. An infected machine will run a webserver at TCP port 1639 or 1640, and mass-mail emails with links back to its webserver. When users follow the links, their machines are compromised, and the virus propagates. This signature attempts to catch web requests on port 1639 (a default port used by the worm so far--this could easily change in future variants). MODIFIED=Y DISABLED=N UPDATED=N NAME=WORM:BOFRA-WEBSERVER-1640 SIGNATURE=T D A S 900 250 1640 WORM:BOFRA-WEBSERVER-1640 get/20/2f , /20http/2f1 DESCRIPTION=A newly released worm uses the new, unpatched Microsoft IE EMBED/FRAME/IFRAME vulnerability to compromise systems. An infected machine will run a webserver at TCP port 1639 or 1640, and mass-mail emails with links back to its webserver. When users follow the links, their machines are compromised, and the virus propagates. This signature attempts to catch web requests on port 1640 (a default port used by the worm so far--this could easily change in future variants). MODIFIED=Y DISABLED=N UPDATED=N NAME=WORM:BOFRA-EMAIL-LINK SIGNATURE=T D A S 50 0 25 WORM:BOFRA-EMAIL-LINK http/3a/2f/2f , /3a1639/2findex/2ehtm DESCRIPTION=A newly released worm uses the new, unpatched Microsoft IE EMBED/FRAME/IFRAME vulnerability to compromise systems. An infected machine will run a webserver at TCP port 1639 or 1640, and mass-mail emails with links back to its webserver. When users follow the links, their machines are compromised, and the virus propagates. This signature attempts to catch emails directing the victim to a URL on port 1639 (a default port used by the worm so far--this could easily change in future variants). MODIFIED=Y DISABLED=N UPDATED=N NAME=WORM:BOFRA-EMAIL-LINK2 SIGNATURE=T D A S 50 0 25 WORM:BOFRA-EMAIL-LINK2 http/3a/2f/2f , /3a164#/2findex/2ehtm DESCRIPTION=A newly released worm uses the new, unpatched Microsoft IE EMBED/FRAME/IFRAME vulnerability to compromise systems. An infected machine will run a webserver at TCP port 1639 or 1640, and mass-mail emails with links back to its webserver. When users follow the links, their machines are compromised, and the virus propagates. This signature attempts to catch emails directing the victim to a URL on port 1640+ (a default port used by the worm so far--this could easily change in future variants). MODIFIED=Y DISABLED=N UPDATED=N NAME=COMP:SMB-URL SIGNATURE=T A A B 30 400 445 COMP:SMB-URL Xhttp/3a/2f/2f DESCRIPTION=At least one known LSASS worm variant sets up a mini webserver and sends the victim a URL over the SMB connection in order to propagate itself. This signature attempts to detect any URL in the SMB stream. Based on a signature contributed by Trent Healy. MODIFIED=Y DISABLED=N UPDATED=N NAME=VERITAS:BACKUPEXEC SIGNATURE=T D A B 10 15 6101 VERITAS:BACKUPEXEC /31/f6/c1/ec/0c/c1/e4 DESCRIPTION=A buffer overrun exists in Windows versions of the Veritas BackupExec (a component of the Veritas enterprise backup software). Exploits exist and are being actively used in the wild. This signature attempts to detect exploit attempts; however it may trigger on legitemate uses of Veritas as well. Signature contributed by Jordan Wiens. MODIFIED=Y DISABLED=N UPDATED=N NAME=WEB:GET-SIS SIGNATURE=T D A S 10 150 W WEB:GET-SIS get/20/2f , /2esis/20http/2f1 DESCRIPTION=Temporary signature to capture HTTP GET requests for .SIS files. SIS files are the application-installer package files used by a number of phones such as Nokias. This signature will give us an idea of how common .SIS file transfers are, and also collect sample .SIS files so we can develop a signature based on the file/package content--because the phones will install SIS packages which have been renamed to any other extension, and that is being used actively to write phone-based worms. MODIFIED=Y DISABLED=N UPDATED=N NAME=SMTP:SIS-ATTACH SIGNATURE=T D A S 1 0 25 SMTP:SIS-ATTACH content/2ddisposition/3a/20attachment/3b , /2esis/22/0d/0a DESCRIPTION=Temporary signature to capture emails with .SIS file attachments. SIS files are the application-installer package files used by a number of phones such as Nokias. This signature will give us an idea of how common .SIS file transfers are, and also collect sample .SIS files so we can develop a signature based on the file/package content--because the phones will install SIS packages which have been renamed to any other extension, and that is being used actively to write phone-based worms. MODIFIED=Y DISABLED=N UPDATED=N NAME=FTP:GET-SIS SIGNATURE=T D A S 20 100 21 FTP:GET-SIS retr/20 , /2esis/0d/0a DESCRIPTION=This signature detects FTP transfers of .SIS files. SIS files are the application-installer package files used by a number of phones such as Nokias. This signature will give us an idea of how common .SIS file transfers are, and also collect sample .SIS files so we can develop a signature based on the file/package content--because the phones will install SIS packages which have been renamed to any other extension, and that is being used actively to write phone-based worms. MODIFIED=Y DISABLED=N UPDATED=N NAME=MYSQL:LOGIN-ROOT SIGNATURE=T D A B 6 120 3306 MYSQL:LOGIN-ROOT /00/00/01/05/24/00/00/00root/00 DESCRIPTION=This signature detects login attempts to a MySQL database server using the 'root' account. By default root has full control over the database, and it is best practice to normally interact with the database as a less-privileged user. Also, there are worms which target MySQL servers with weak (or no) password on the 'root' account. MODIFIED=Y DISABLED=N UPDATED=N NAME=MYSQL:LOGIN-NOPASSWORD SIGNATURE=T D A B 40 120 3306 MYSQL:LOGIN-NOPASSWORD /0a/00/00/01/05/24/00/00/00 DESCRIPTION=This signature detects login attempts to a MySQL database server without a password. There should always be passwords set, on all database accounts. Also, there are worms which target MySQL servers with weak (or no) passwords set. MODIFIED=Y DISABLED=N UPDATED=N NAME=MYSQL:CREATE-BLA SIGNATURE=T D A S 40 120 3306 MYSQL:CREATE-BLA /00/00/00/03create/20table/20bla , line DESCRIPTION=This signature detects the command 'create table bla'. There is a worm in the wild which targets MySQL servers, and its first step in spreading itself to new targets is to create a table by that name in the mysql database. MODIFIED=Y DISABLED=N UPDATED=N NAME=MYSQL:CREATE-MYSQL.BLA SIGNATURE=T D A S 40 120 3306 MYSQL:CREATE-MYSQL.BLA /00/00/00/03create/20table/20mysql/2ebla , line DESCRIPTION=This signature detects the command 'create table mysql.bla'. There is a worm in the wild which targets MySQL servers, and its first step in spreading itself to new targets is to create a table by that name in the mysql database. MODIFIED=Y DISABLED=N UPDATED=N NAME=BEARSHARE:GET SIGNATURE=T D A B 40 20 6346 BEARSHARE:GET GET/20/2furi/2dres/2f , Content-Disposition/3a/20inline/3b/20filename/3d DESCRIPTION=This signature attempts to detect each BearShare file-download request. BearShare is a P2P tool which is also known to be used by malware to spread itself. MODIFIED=Y DISABLED=N UPDATED=N NAME=BACKDOOR:STMTRECO SIGNATURE=T D A S 10 250 W BACKDOOR:STMTRECO get/20/2f , stmtreco/2eexe/20http/2f1 DESCRIPTION=Stmtreco is a common piece of malicious adware/spyware, believed to be the next generation of randreco. This signature detects stmtreco.exe being downloaded from a website. Most likely, the source machine is already infected. MODIFIED=Y DISABLED=N UPDATED=N NAME=BACKDOOR:AURARECO SIGNATURE=T D A S 10 250 W BACKDOOR:AURARECO get/20/2f , aurareco/2eexe/20http/2f1 DESCRIPTION=Aurareco is a common piece of malicious adware/spyware, believed to be the next generation of randreco/stmtreco. This signature detects aurareco.exe being downloaded from a website. Most likely, the source machine is already infected. MODIFIED=Y DISABLED=N UPDATED=N NAME=CLIENT:DOC-NULL-OVERFLOW SIGNATURE=T D A S 100 300 W CLIENT:DOC-NULL-OVERFLOW /2edoc/2500 > 200 DESCRIPTION=A vulnerability in Microsoft Word XP, from Office XP, can be exploited when a browser requests a .doc or .rtf file with the filename in the GET request followed by a hex-encoded null and then a long string. This signature attempts to detect requests for '.doc%00' followed by a long string. Existing writeups do not make clear just how *long* the string needs to be for a useful overflow, so the 200-byte string-search might need to be adjusted. MODIFIED=Y DISABLED=N UPDATED=N NAME=CLIENT:RTF-NULL-OVERFLOW SIGNATURE=T D A S 100 300 W CLIENT:RTF-NULL-OVERFLOW /2ertf/2500 > 200 DESCRIPTION=A vulnerability in Microsoft Word XP, from Office XP, can be exploited when a browser requests a .doc or .rtf file with the filename in the GET request followed by a hex-encoded null and then a long string. This signature attempts to detect requests for '.rtf%00' followed by a long string. Existing writeups do not make clear just how *long* the string needs to be for a useful overflow, so the 200-byte string-search might need to be adjusted. MODIFIED=Y DISABLED=N UPDATED=N NAME=ARCSERVE:ROOT-LOGIN SIGNATURE=T D A S 400 0 6051 ARCSERVE:ROOT-LOGIN /02root/03 , /02/3c/25j8U/5d/60/7e/2bRi/03 DESCRIPTION=iDEFENSE reported a hard-coded default admin-level account in the BrightStor ARCserve Backup UniversalAgent for UNIX. This signature detects login attempts to the root account with the backdoor password reported by iDEFENSE. EVENTGROUP=ATTACKS MODIFIED=Y DISABLED=N NAME=ARCSERVE:EXPLOIT SIGNATURE=T D A B 100 300 41523 ARCSERVE:EXPLOIT /9bSERVICEPC , SERVICEPC/01/0c/6c/93/ce/18/18 DESCRIPTION=iDEFENSE reported a hard-coded default admin-level account in the BrightStor ARCserve Backup UniversalAgent for UNIX. This signature detects existing exploits targetting this vulnerability. Signature contributed by Mike Iglesias. EVENTGROUP=ATTACKS MODIFIED=Y DISABLED=N NAME=NFS:OPENSSH-PUBKEY2-TCP SIGNATURE=T D A B 10 300 2049 NFS:OPENSSH-PUBKEY-TCP ssh-*s*/20AAAAB3NzaC1yc**AAA DESCRIPTION=This signature detects an SSH RSA2 or DSA public key being written to an NFS volume over TCP. EVENTGROUP=ATTACKS MODIFIED=Y DISABLED=N NAME=NFS:OPENSSH-PUBKEY2-UDP SIGNATURE=U D A B 10 300 2049 NFS:OPENSSH-PUBKEY-UDP ssh-*s*/20AAAAB3NzaC1yc**AAA DESCRIPTION=This signature detects an SSH RSA2 or DSA public key being written to an NFS volume over UDP. EVENTGROUP=ATTACKS MODIFIED=Y DISABLED=N NAME=TEL:CAT-ETC-SHADOW SIGNATURE=T D A B 500 20 T TEL:CAT-ETC-SHADOW cat/20/2fetc/2fshadow/0d DESCRIPTION=The rules watches for anyone in a telnet session that tries to print out the shadow file. If Dragon watches system administrators, this may have a high false positive rate. If it is in an unprivileged shell access stream, then it may be suspicious. Accessing the shadow file over an unencrypted link is usually a bad idea. EVENTGROUP=ATTACKS ALERRATE=0 SCORE=0 MODIFIED=Y DISABLED=N UPDATED=N NAME=WEB:NETSCAPE-PERF SIGNATURE=T D A S 100 10 W WEB:NETSCAPE-PERF get/20/2f/2eperf DESCRIPTION=Some versions of Netscape iPlanet Web Server ship with an option enabled creating a /.perf URL that leaks sensitive internal information about the server. It should be disabled in any production deployment; remove the Object ppath= entry pointing to .perf, and all references to service-dump from the obj.conf file. MODIFIED=Y DISABLED=N NAME=WEB:SERVLET-FINGER SIGNATURE=T D A S 100 10 W WEB:SERVLET-FINGER get/20/2fservlet/2ffingerservlet DESCRIPTION=The common demo Java servlet FingerServlet leaks information about local accounts, and can be used to map out the network surrounding the webserver (behind a DMZ firewall, for instance) by abusing the hosts= parameter. This servlet ships with JRUN. MODIFIED=Y DISABLED=N NAME=WEB:SERVLET-SNOOP SIGNATURE=T D A S 100 10 W WEB:SERVLET-SNOOP get/20/2fservlet/2fsnoopservlet DESCRIPTION=The common demo Java servlet SnoopServlet has XSS vulnerabilities allowing cookie theft, and leaks information about the local machine configuration, including directory paths, the real server hostname, etc. This servlet ships with JRUN. MODIFIED=Y DISABLED=N NAME=COMP:SMB-URL-UNICODE SIGNATURE=T A A B 30 400 445 COMP:SMB-URL-UNICODE X/00h/00t/00t/00p/00/3a/00/2f/00/2f DESCRIPTION=At least one known LSASS worm variant sets up a mini webserver and sends the victim a URL over the SMB connection in order to propagate itself. This signature attempts to detect any UNICODEd URL in the SMB stream. Based on a signature contributed by Trent Healy. MODIFIED=Y DISABLED=N UPDATED=N NAME=BACKDOOR:PROCESSO SIGNATURE=T S A B 300 0 W BACKDOOR:PROCESSO /0amy/20/24processo/20/3d?/2fusr/2flocal/2fapache/2fbin/2fhttpd/20/2dDSSL DESCRIPTION=A number of worms exist which consist of perl scripts targetting vulnerable CGIs like awstats.pl, phpBB, etc. Compromised hosts download and run a perl script which connects to an IRC server of the attacker's choice and awaits further instructions, and possibly also automatically begins finding new targets (via scanning, or querying search engines) and launching attacks. This signature triggers on a string in the perl script as it is being downloaded--meaning the receiving host has just been successfully compromised. It may false-positive sometimes on people viewing web pages discussing the worms. URL=http://www.google.com/search?q=%22my+%24processo+%3D%22+%22%2Fusr%2Flocal%2Fapache%2Fbin%2Fhttpd+-DSSL%22&btnG=Search MODIFIED=Y DISABLED=N UPDATED=N NAME=IIS:WIN.INI SIGNATURE=T D A S 80 400 W IIS:WIN.INI /2fwin.ini DESCRIPTION=An attempt to retrieve the win.ini file has been detected. This may be someone who is attempting to see if your application is suceptible to directory traversal. The win.ini file also provides information to the attacker about the configuration of your system. EVENTGROUP=PROBE MODIFIED=Y DISABLED=N UPDATED=N NAME=IIS:ODBC.INI SIGNATURE=T D A S 80 400 W IIS:ODBC.INI /2fodbc.ini DESCRIPTION=An attempt to retrieve the odbc.ini file has been detected. This may be someone who is attempting to see if your application is suceptible to directory traversal. The odbc.ini file also provides information to the attacker about the configuration of your system. EVENTGROUP=PROBE MODIFIED=Y DISABLED=N UPDATED=N NAME=WORM:DIPNET-11768 SIGNATURE=T D A B 10 200 11768 WORM:DIPNET-11768 __123_asdasdfdjhsdf_SAFasdfhjsdf_fsd123 DESCRIPTION=The Dipnet / Oddbob worm spreads via the LSASS vulnerability on port 445 (MS04-011). Infected machines listen on port 11768 or 15118, and respond to a certain "hello" string. This signature detects that string being sent to port 11768. Both the sending host and the receiving host are likely infected; check the response (if any) to confirm that the receiving host is infected. URL=http://www.lurhq.com/dipnet.html EVENTGROUP=COMPROMISE MODIFIED=Y DISABLED=N UPDATED=N NAME=WORM:DIPNET-15118 SIGNATURE=T D A B 10 200 15118 WORM:DIPNET-15118 __123_asdasdfdjhsdf_SAFasdfhjsdf_fsd123 DESCRIPTION=The Dipnet / Oddbob worm spreads via the LSASS vulnerability on port 445 (MS04-011). Infected machines listen on port 11768 or 15118, and respond to a certain "hello" string. This signature detects that string being sent to port 15118. Both the sending host and the receiving host are likely infected; check the response (if any) to confirm that the receiving host is infected. URL=http://www.lurhq.com/dipnet.html EVENTGROUP=COMPROMISE MODIFIED=Y DISABLED=N UPDATED=N NAME=VERITAS:BACKUPEXEC-10000 SIGNATURE=T S A B 20 20 10000 VERITAS:BACKUPEXEC-10000 /80/00/00/24 DESCRIPTION=A buffer overrun exists in Windows versions of the Veritas BackupExec (a component of the Veritas enterprise backup software). Exploits exist and are being actively used in the wild. This signature detects any access to the Veritas port 10000 listener, which will include legitemate users as well as attackers; some captured events can be used to write more specific signatures. Signature contributed by Mike Iglesias. MODIFIED=Y DISABLED=N UPDATED=N NAME=PHPBB:VIEWTOPIC SIGNATURE=T D A B 10 100 W PHPBB:VIEWTOPIC highlight/3d/27 DESCRIPTION=A vulnerability exists in PHPBB that allows arbitrary command execution. This signature detects a straightforward exploit attempt--a creative exploit could most likely evade detection. Signature contributed by Jordan Wiens. URL=http://marc.theaimsgroup.com/?i=20050628234600.Q95927@zarathustra.linux666.com MODIFIED=Y DISABLED=N UPDATED=N NAME=XML:METHOD-EXAMPLE SIGNATURE=T D A S 100 0 W XML:METHOD-EXAMPLE /3c/3fxml/20version/3d/221 , /3cmethodname/3eexamples/2e DESCRIPTION=XML calls include a methodName parameter indicating the library / function call being accessed. A methodname beginning with "examples." is used in the vast majority of example writeups available online. But as with all sample code, no examples.* methods should be available on a production server. It also makes for a handy method name to call within exploits against generic XML-exposed services, fishing for exploitable systems. If this event triggers, check the rest of the query for suspicous parameters (attempts to execute arbitrary OS commands, etc), and look at the server response for unexpected output. MODIFIED=Y DISABLED=N UPDATED=N NAME=WEB:GET-SYSTEM SIGNATURE=T D A B 200 200 W WEB:GET-SYSTEM GET/20/2f , system/28 DESCRIPTION=Some vulnerable CGIs allow an attacker to run arbitrary operating system commands by injecting a 'system()' in an unchecked parameter. This signature attempts to detect suspicious GET requests which include 'system(' in the query string. Check the rest of the query, and the server's response to determine if it was indeed an attack, and if the attack was successful. MODIFIED=Y DISABLED=N UPDATED=N NAME=WEB:POST-SYSTEM SIGNATURE=T D A B 200 400 W WEB:POST-SYSTEM POST/20/2f , system/28 DESCRIPTION=Some vulnerable CGIs allow an attacker to run arbitrary operating system commands by injecting a 'system()' in an unchecked parameter. This signature attempts to detect suspicious POST requests which include 'system(' in the POST body. Check the rest of the query, and the server's response to determine if it was indeed an attack, and if the attack was successful. MODIFIED=Y DISABLED=N UPDATED=N NAME=TEL:LD_AUDIT SIGNATURE=T D A B 400 0 T TEL:LD_AUDIT LD_AUDIT DESCRIPTION=Some patchlevels of Solaris 8, 9, and 10 have a vulnerability in the dynamic linker, ld.so which allows a local user to get root from any setuid binary. Much like earlier LD_PRELOAD environment variable problems, the linker will load and execute any shared library pointed to by the LD_AUDIT environment variable. Thus, an attacker can craft a trivial "give-root" shared library, point LD_AUDIT at that library, and run any setuid binary to instantly get root. This signature detects any reference to LD_AUDIT in a telnet session. It is possible for this signature to false positive, but LD_AUDIT is rarely used, so any trigger is likely to be an exploit attempt. EVENTGROUP=ATTACKS URL=http://marc.theaimsgroup.com/?i=42C087BE.5090400@freebsd.lublin.pl MODIFIED=Y DISABLED=N UPDATED=N NAME=X:BAD-LOGIN SIGNATURE=T S A S 40 300 X X:BAD-LOGIN login/20incorrect DESCRIPTION=This signature detects login failures over a remote Xwindows session, such as launched via xdm or dtlogin. EVENTGROUP=FAILURES MODIFIED=Y DISABLED=N UPDATED=N NAME=TUNNEL:DNS-HTTP SIGNATURE=T A A S 20 300 53 TUNNEL:DNS-HTTP /3chtml/3e DESCRIPTION=This signature detects one form of tunneling HTML traffic (web browsing, or some Instant Messaging protocols) through port 53. TCP port 53 is often permitted outbound from an organization for DNS; it is allowed by default by Checkpoint's implied rules, for instance. Regardless of your organization's policy regarding browsing and IM use, tunnelling to bypass firewalls should never be acceptable. EVENTGROUP=SUSPICIOUS MODIFIED=Y DISABLED=N UPDATED=N NAME=SMTP:EXPIRES-OVERFLOW SIGNATURE=T D A S 40 0 25 SMTP:EXPIRES-OVERFLOW /0aexpires/3a/20 > 100 DESCRIPTION=Some SMTP clients (notably Elm) have buffer overruns when handling overly large Expires: headers. Legitemately long Expires: headers should be exceedingly rare, so this signature triggers on any Expires header longer than 100 bytes. EVENTGROUP=ATTACKS MODIFIED=Y DISABLED=N UPDATED=N NAME=MS-SQL:LOGIN-SA SIGNATURE=T D A B 20 300 1433 MS-SQL:LOGIN-SA /00/00S/00E/00R/00V/00E/00R/00s/00a/00/b3/a5 DESCRIPTION=This signature detects login attempts to a Microsoft SQL Server database using the 'sa' account. By default sa has full control over the database and the host operating system, and it is best practice to normally interact with the database as a less-privileged user. Also, there are worms which target MSSQL servers with weak (or no) password on the 'sa' account. EVENTGROUP=ATTACKS MODIFIED=Y DISABLED=N UPDATED=N