Bro signature for detecting hosts infected with "Witty"

Here's a signature to detect the Witty worm that's going around today:

  signature witty-worm {
    header udp[0:2] == 4000
    payload /.*insert witty message here/
    event "Source infected with Witty"

If you put that in "witty.sig" then the appended script will generate
RemoteWittyInfectee for non-local infected hosts and LocalWittyInfectee
for local ones.


@load log
@load site
@load alert

redef signature_files += "witty.sig";
redef enum Alert += { RemoteWittyInfectee, LocalWittyInfectee };
redef capture_filters = { ["witty"] = "udp src port 4000" };

# Keep track of each infection spotted.
global witty_infectees: table[addr] of count &default = 0;

event signature_match(state: signature_state, msg: string, data: string)
  local infectee = state$conn$id$orig_h;

  if ( ++witty_infectees[infectee] == 1 )
    ALERT([$alert = is_local_addr(infectee) ?
        LocalWittyInfectee : RemoteWittyInfectee,
      $msg=fmt("source %s infected by Witty", infectee)]);