Bro signature for detecting hosts infected with "Witty"

Vern Paxson vern at
Sat Mar 20 15:10:01 PST 2004

Here's a signature to detect the Witty worm that's going around today:

	signature witty-worm {
	  header udp[0:2] == 4000
	  payload /.*insert witty message here/
	  event "Source infected with Witty"

If you put that in "witty.sig" then the appended script will generate
RemoteWittyInfectee for non-local infected hosts and LocalWittyInfectee
for local ones.


@load log
@load site
@load alert

redef signature_files += "witty.sig";
redef enum Alert += { RemoteWittyInfectee, LocalWittyInfectee };
redef capture_filters = { ["witty"] = "udp src port 4000" };

# Keep track of each infection spotted.
global witty_infectees: table[addr] of count &default = 0;

event signature_match(state: signature_state, msg: string, data: string)
	local infectee = state$conn$id$orig_h;

	if ( ++witty_infectees[infectee] == 1 )
		ALERT([$alert = is_local_addr(infectee) ?
				LocalWittyInfectee : RemoteWittyInfectee,
			$msg=fmt("source %s infected by Witty", infectee)]);

More information about the Bro mailing list