evilrouters.net

As kind of a follow-up to “Monitoring for Sober.Y with Squid and swatch“, I figured I’d throw up this post about monitoring for Blackworm with swatch. I won’t go into the details of the worm itself, as it’s been described very well already.

If you need the nitty-gritty details of how swatch works, please see the “Monitoring for Sober.Y with Squid and swatch” post. To keep it short, here’s the relevant entries you need in your swatch config file:

watchfor /snort.1000376/ mail addresses=jlgaddis-pager:jlgaddis,subject=Blackworm watchfor /snort.1000377/ mail addresses=jlgaddis-pager:jlgaddis,subject=Blackworm

That’s assuming, of course, that you have the snort rules from Bleeding Snort:

alert tcp any any -> any 80 (msg:”webstats.web.rcn.net count.cgi request without referrer (possible BlackWorm infection)”; content:”GET /cgi-bin/Count.cgi|3f|”; depth:23; content:”df|3d|”; content:”Host|3a 20|webstats.web.rcn.net”; content:!”Referer|3a|”; classtype:misc-activity; sid:1000376; rev:1;)

…and…

alert tcp any any -> any 80 (msg:”Agentless HTTP request to www.microsoft.com (possible BlackWorm infection)”; dsize:92; content:”GET / HTTP/1.1|0d0a|Host|3a20|www.microsoft.com|0d0a| Connection|3a20|Keep-Alive|0d0a|Cache-Control|3a20|no-cache|0d0a0d0a|”; classtype:misc-activity; sid:1000377; rev:1;)

According to Gadi Evron, that’s from Joe Stewart. I was able to test it here and it works as expected, sending both an e-mail alert and another to my pager (via SMTP).

This is great for me, since 1) I can’t sit around watching the IDS console all day, and 2) I’ll actually be in my office two days out of the next 14 and would probably miss ‘em anyways.