Bro signature for detecting hosts infected with "Witty"
Vern Paxson
vern at icir.org
Sat Mar 20 15:10:01 PST 2004
Here's a signature to detect the Witty worm that's going around today:
signature witty-worm {
header udp[0:2] == 4000
payload /.*insert witty message here/
event "Source infected with Witty"
}
If you put that in "witty.sig" then the appended script will generate
RemoteWittyInfectee for non-local infected hosts and LocalWittyInfectee
for local ones.
Vern
@load log
@load site
@load alert
redef signature_files += "witty.sig";
redef enum Alert += { RemoteWittyInfectee, LocalWittyInfectee };
redef capture_filters = { ["witty"] = "udp src port 4000" };
# Keep track of each infection spotted.
global witty_infectees: table[addr] of count &default = 0;
event signature_match(state: signature_state, msg: string, data: string)
{
local infectee = state$conn$id$orig_h;
if ( ++witty_infectees[infectee] == 1 )
ALERT([$alert = is_local_addr(infectee) ?
LocalWittyInfectee : RemoteWittyInfectee,
$conn=state$conn,
$msg=fmt("source %s infected by Witty", infectee)]);
}
More information about the Bro
mailing list