Re: [logs] nimda web server logs

From: Sweth Chandramouli (loganalysisat_private)
Date: Fri Jun 14 2002 - 12:24:14 PDT

Next message: Hal Snyder: "Re: [logs] Generic Log Message Parsing Tool"

Previous message: Jon Stearley: "Re: [logs] Re: Generic Log Message Parsing Tool"
In reply to: wolfgangat_private: "Re: [logs] nimda web server logs"
Next in thread: wolfgangat_private: "Re: [logs] nimda web server logs"
Next in thread: Lewis E. Wolfgang: "Re: [logs] nimda web server logs"
Reply: wolfgangat_private: "Re: [logs] nimda web server logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jun 14, 2002 at 12:27:19PM +0200, wolfgangat_private wrote:
> No requests for *.cif where seen in this case, and no requests for repair/sam
> either.
	In which case, what is it about the requests that makes
you think they are related to the ones Tina was seeing?  Hmm... I feel
like this problem needs to be better defined...
	In my world, a Nimda scan is one with a fairly constant
and short time delta between requests to machines on the same network,
and whose GET request string matches the following pseudo-grammar:

nimda:               base_dir traversal_string [ desired_file | command ]
base_dir:            /^(scripts|msadc|_mem_bin|_vti_bin|[cd])$/i
desired_file:        'Admin.dll'
                   | 'httpodbc.dll'
command:             command_interpreter command_string
command_interpreter: '/winnt/system32/cmd.exe?/c'
                   | 'root.exe?/c'
command_string:      tftp_command | local_exec
local_exec:          'dir'

	, where I'm leaving traversal_string and tftp_command
undefined for now (both because I'm lazy and because I don't think it
will affect the problem definition significantly), and assuming the
parser uses forward slashes to separate tokens.
	I think Tina's scans aren't Nimda, then, because they have
a different time signature (relatively long irregular pauses between
requests, as though someone were thinking about what to do next), and
because they have either a different desired_file ('winnt/repair/sam')
or a different local_exec ('dir+c:\\*.cif/s/b').
	So, for these other scans that people are reporting: do
they match my definition of Nimda above, or not?  If not, how
specifically are they different?

	(Jay's original list of Nimda signatures to loganalysis
also included the local_exec component 'echo+test+message+>test.msg"',
but I'm fairly certain that further examination of his logs would reveal
that that was actually a manual scan that just happened to look vaguely
Nimda-ish.)

	-- Sweth.

-- 
Sweth Chandramouli      Idiopathic Systems Consulting
svcat_private      http://www.idiopathic.net/

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Hal Snyder: "Re: [logs] Generic Log Message Parsing Tool"
Previous message: Jon Stearley: "Re: [logs] Re: Generic Log Message Parsing Tool"
In reply to: wolfgangat_private: "Re: [logs] nimda web server logs"
Next in thread: wolfgangat_private: "Re: [logs] nimda web server logs"
Next in thread: Lewis E. Wolfgang: "Re: [logs] nimda web server logs"
Reply: wolfgangat_private: "Re: [logs] nimda web server logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 14 2002 - 12:38:38 PDT