Rule:

--
Sid:
1809

--
Summary:
This event is generated when an attempt is made to infect a web server by the "Scalper" worm.

--
Impact:
An infected server will open ports and listen for commands as well as 
attempt to infect more systems.

--
Detailed Information:
This worm takes advantage of the chunked encoding vulnerability in 
Apache to infect new systems. Once infected, the worm opens UDP port 
2001 and will listen for additional commands. It will also begin 
scanning for new hosts to infect.

--
Affected Systems:
Version of Apache 1.3 up to and including 1.3.24 and versions of Apache 
2.0 up to 2.0.36. All versions of Apache 1.2 are vulnerable. This worm 
will only infect systems running FreeBSD.

--
Attack Scenarios:
Typical self-replicating worm.

--
Ease of Attack:
Simple. This is worm activity and is fully automated.

--
False Positives:
None Known.

--
False Negatives:
None known.

--
Corrective Action:
Upgrade your installation of Apache if you are running a vulnerable 
version.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Snort documentation contributed by Kevin Peuhkurinen

-- 
Additional References:

Symantec
http://securityresponse.symantec.com/avcenter/venc/data/freebsd.scalper.worm.html

--