mirror of
https://github.com/zeek/zeek.git
synced 2025-10-14 20:48:21 +00:00
38 lines
971 B
Standard ML
38 lines
971 B
Standard ML
signature sslworm-probe {
|
|
header ip[9:1] == 6
|
|
header ip[16:4] == local_nets
|
|
header tcp[2:2] == 80
|
|
payload /.*GET \/ HTTP\/1\.1\x0d\x0a\x0d\x0a/
|
|
event "Host may have been probed by Apache/SSL worm"
|
|
}
|
|
|
|
signature sslworm-vulnerable-probe {
|
|
requires-signature sslworm-probe
|
|
eval sslworm_is_server_vulnerable
|
|
event "Host may have been probed by Apache/SSL worm and is vulnerable"
|
|
}
|
|
|
|
signature sslworm-exploit {
|
|
header ip[9:1] == 6
|
|
header ip[16:4] == local_nets
|
|
header tcp[2:2] == 443
|
|
eval sslworm_has_server_been_probed
|
|
event "Apache/Worm has tried to exploit host"
|
|
}
|
|
|
|
signature sslworm-infection {
|
|
header ip[9:1] == 17
|
|
header ip[12:4] == local_nets
|
|
header udp[0:2] == 2002
|
|
eval sslworm_has_server_been_exploited
|
|
event "Host has been infected by Apache/SSL worm"
|
|
}
|
|
|
|
signature sslworm-udp2002 {
|
|
header ip[9:1] == 17
|
|
header udp[0:2] == 2002
|
|
header udp[2:2] == 2002
|
|
event "Hosts may have been infected by Apache/SSL worm"
|
|
}
|
|
|
|
|