I find another signature... It uses more long content, so more exact. Isn't
it?
alert udp any 4000:5000 -> any any (msg:"Witty Initial Traffic";content:"
|29202020202020696e73657274207769747479206d6573736167652068657265|";rev:1;)
Source port restriction may be removed.
---
Best regards, Sergey V. Soldatov.
[EMAIL PROTECTED]
Sent by: To: [EMAIL PROTECTED], [EMAIL
PROTECTED]
[EMAIL PROTECTED] cc:
Subject: [ISSForum] Witty signature
20.03.2004 14:17
Pretty easy one:
alert udp any 4000 -> any any (msg:"ISS RealSecure or BlackICE Witty
Infection Attempt"; content:"|20 20 20 20 20
20|insert.witty.message.here"; depth:146; classtype:trojan-activity;
reference:url,http://xforce.iss.net/xforce/alerts/id/166; sid:1111001;
rev:1;)
Mostly useful for the Trons crowd (drop disallowed Trons fields
accordingly).
--
Tod Beardsley
www.planb-security.net
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to [EMAIL PROTECTED]
The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to [EMAIL PROTECTED]
The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303
Barfield Road, Atlanta, Georgia, USA 30328.
