I've got over 50,000 hits on this rule in the last 24 hours, order of
2,500 source and 2,500 destinations. Either it's a wide spread worm
that I've not heard of or they are FPs.
Russell
META
--------
SID CID TimeStamp Signature
6 14134222 2006-09-07 23:06:55 WEB-CLIENT
ShockwaveFlash.ShockwaveFlash
ActiveX CLSID access
Sig ID
7978
Sensor Hostname Sensor Interface
hihi.insec.auckland.ac.nz new dmz sensor
IP
--------
Source Address Dest Address Ver Hdr Len
130.216.175.1 12.180.111.234 4 5
TOS length ID flags offset TTL chksum
0 1420 35749 2 0 62 64846
Resolved Source
cfdl-web.cfdl.auckland.ac.nz
Resolved Dest
Could Not Resolve
TCP
--------
Source Port Dest Port Seq Ack
80 35577 3660233889 44690319
Offset Reserved Flags Window Checksum Urgent Ptr
5 0 16 6432 4144 0
Options
--------
None
Flags
--------
RB 1 RB 0 URG ACK PSH RST SYN FIN
X
DATA
--------
222229207B0A20202020 "") {.
202020616C6572742877 alert(w
6879293B0A2020202020 hy);.
202072657475726E2066 return f
616C73653B0A20202020 alse;.
7D0A72657475726E2074 }.return t
7275653B0A7D0A0A2020 rue;.}..
20202F2F202D2D3E0A20 // -->.
2020203C2F7363726970 </scrip
743E0A0A3C63656E7465 t>..<cente
723E0A0A3C7461626C65 r>..<table
20626F726465723D2230 border="0
222077696474683D2236 " width="6
3630222063656C6C7370 60" cellsp
6163696E673D22302220 acing="0"
63656C6C70616464696E cellpaddin
673D2230223E09090920 g="0">...
200A090909093C74723E .....<tr>
0A090909090920202020 ......
0A09090909093C746420 ......<td
77696474683D22312220 width="1"
726F777370616E3D2232 rowspan="2
22206267636F6C6F723D " bgcolor=
2223303030303030223E "#000000">
3C696D67207372633D22 <img src="
687474703A2F2F777777 http://www
2E736C632E6175636B6C .slc.auckl
616E642E61632E6E7A2F and.ac.nz/
6D656469612F70697865 media/pixe
6C2E6769662220776964 l.gif" wid
74683D22312220686569 th="1" hei
6768743D2231223E3C2F ght="1"></
74643E0A090909090920 td>......
2020200A09090909093C ......<
7464206865696768743D td height=
22313130222077696474 "110" widt
683D223635382220616C h="658" al
69676E3D2263656E7465 ign="cente
7222206267636F6C6F72 r" bgcolor
3D222334343434383822 ="#444488"
3E3C212D2D2055524C27 ><!-- URL'
73207573656420696E20 s used in
746865206D6F7669652D the movie-
2D3E3C212D2D20746578 -><!-- tex
74207573656420696E20 t used in
746865206D6F7669652D the movie-
2D3E3C4F424A45435420 -><OBJECT
636C61737369643D2263 classid="c
6C7369643A4432374344 lsid:D27CD
4236452D414536442D31 B6E-AE6D-1
3163662D393642382D34 1cf-96B8-4
34343535333534303030 4455354000
30220A20636F64656261 0". codeba
73653D22687474703A2F se="http:/
2F646F776E6C6F61642E /download.
6D6163726F6D65646961 macromedia
2E636F6D2F7075622F73 .com/pub/s
686F636B776176652F63 hockwave/c
6162732F666C6173682F abs/flash/
7377666C6173682E6361 swflash.ca
622376657273696F6E3D b#version=
362C302C302C30220A20 6,0,0,0".
57494454483D22363538 WIDTH="658
22204845494748543D22 " HEIGHT="
313130222069643D2274 110" id="t
69746C6562616E6E6572 itlebanner
2220414C49474E3D2222 " ALIGN=""
3E3C504152414D204E41 ><PARAM NA
4D453D6D6F7669652056 ME=movie V
414C55453D2268747470 ALUE="http
3A2F2F7777772E736C63 ://www.slc
2E6175636B6C616E642E .auckland.
61632E6E7A2F6D656469 ac.nz/medi
612F7469746C6562616E a/titleban
6E65722E737766223E3C ner.swf"><
504152414D204E414D45 PARAM NAME
3D6D656E752056414C55 =menu VALU
453D66616C73653E3C50 E=false><P
4152414D204E414D453D ARAM NAME=
7175616C697479205641 quality VA
4C55453D686967683E3C LUE=high><
504152414D204E414D45 PARAM NAME
3D6267636F6C6F722056 =bgcolor V
414C55453D2330303030 ALUE=#0000
33333E3C454D42454420 33><EMBED
7372633D22687474703A src="http:
2F2F7777772E736C632E //www.slc.
6175636B6C616E642E61 auckland.a
632E6E7A2F6D65646961 c.nz/media
2F7469746C6562616E6E /titlebann
65722E73776622206D65 er.swf" me
6E753D66616C73652071 nu=false q
75616C6974793D686967 uality=hig
68206267636F6C6F723D h bgcolor=
23303030303333202057 #000033 W
494454483D2236353822 IDTH="658"
204845494748543D2231 HEIGHT="1
313022204E414D453D22 10" NAME="
6D656469612F7469746C media/titl
6562616E6E6572222041 ebanner" A
4C49474E3D22220A2054 LIGN="". T
5950453D226170706C69 YPE="appli
636174696F6E2F782D73 cation/x-s
686F636B776176652D66 hockwave-f
6C6173682220504C5547 lash" PLUG
494E53504147453D2268 INSPAGE="h
7474703A2F2F7777772E ttp://www.
6D6163726F6D65646961 macromedia
2E636F6D2F676F2F6765 .com/go/ge
74666C617368706C6179 tflashplay
6572223E3C2F454D4245 er"></EMBE
443E3C2F4F424A454354 D></OBJECT
3E3C2F74643E0A090909 ></td>....
0909202020200A090909 .. ....
09093C74642077696474 ..<td widt
683D223122206267636F h="1" bgco
6C6F723D222330303030 lor="#0000
30302220726F77737061 00" rowspa
6E3D2232223E3C696D67 n="2"><img
207372633D2268747470 src="http
3A2F2F7777772E736C63 ://www.slc
2E6175636B6C616E642E .auckland.
61632E6E7A2F6D656469 ac.nz/medi
612F706978656C2E6769 a/pixel.gi
66222077696474683D22 f" width="
3122206865696768743D 1" height=
2231223E3C2F74643E0A "1"></td>.
090909090920200A0909 ..... ...
09093C2F74723E0A0909 ..</tr>...
093C2F7461626C653E0A .</table>.
0A0909093C7461626C65 ....<table
20626F726465723D2230 border="0
222077696474683D2236 " width="6
3630222063656C6C7370 60" cellsp
6163696E673D22302220 acing="0"
63656C6C70616464696E cellpaddin
673D2230223E0A090909 g="0">....
092020203C666F726D20 . <form
DATA
--------
"") {. alert(why);. return false;. }.return t
rue;.}.. // -->. </script>..<center>..<table border="0
" width="660" cellspacing="0" cellpadding="0">... .....<tr>
...... ......<td width="1" rowspan="2" bgcolor="#000000">
<img src="http://www.slc.auckland.ac.nz/media/pixel.gif"; wid
th="1" height="1"></td>...... ......<td height="110" widt
h="658" align="center" bgcolor="#444488"><!-- URL's used in
the movie--><!-- text used in the movie--><OBJECT classid="c
lsid:D27CDB6E-AE6D-11cf-96B8-444553540000". codebase="http:/
/download.macromedia.com/pub/shockwave/cabs/flash/swflash.ca
b#version=6,0,0,0". WIDTH="658" HEIGHT="110" id="titlebanner
" ALIGN=""><PARAM NAME=movie VALUE="http://www.slc.auckland.
ac.nz/media/titlebanner.swf"><PARAM NAME=menu VALUE=false><P
ARAM NAME=quality VALUE=high><PARAM NAME=bgcolor VALUE=#0000
33><EMBED src="http://www.slc.auckland.ac.nz/media/titlebann
er.swf" menu=false quality=high bgcolor=#000033 WIDTH="658"
HEIGHT="110" NAME="media/titlebanner" ALIGN="". TYPE="appli
cation/x-shockwave-flash" PLUGINSPAGE="http://www.macromedia
.com/go/getflashplayer"></EMBED></OBJECT></td>...... ....
..<td width="1" bgcolor="#000000" rowspan="2"><img src="http
://www.slc.auckland.ac.nz/media/pixel.gif" width="1" height=
"1"></td>...... .....</tr>....</table>.....<table border="0
" width="660" cellspacing="0" cellpadding="0">..... <form
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
![http://www.slc.auckland.ac.nz/media/pixel.gif"](http://www.slc.auckland.ac.nz/media/pixel.gif"){kind=link}