[Snort-sigs] Re: capture the funlove virus
Vjay LaRosa
vjayl at ...375...
Tue Apr 9 15:30:03 EDT 2002
FYI,
here are four signatures that I had created with another person for the
funlove virus to use with snort. I haven't had time to document them or
to put the PCAP's together for each string yet. They have been extremely
successful for us. Thanks!
vjl
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Fun Love
flcss.exe"; flags: A+; content: "|66 6c 63 73 73 2e 65 78 65|";
classtype:string-detect; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Fun Love
NTLDR"; flags: A+; content: "|4e 54 4c 44 52|"; classtype:string-detect;
rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Fun Love
ntoskrnl.exe"; flags: A+; content: "|57 49 4e 4e 54 5c 53 79 73 74 65 6d
33 32 5c 6e 74 6f 73 6b 72 6e 6c 2e 65 78 65|"; classtype:string-detect;
rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Fun Loving
Criminal"; flags: A+; content: "|46 75 6e 20 4c 6f 76 69 6e 67 20 43 72
69 6d 69 6e 61 6c|"; classtype:string-detect; rev:1;)
Nick FitzGerald wrote:
> "Dale, Kyra" <kyra.dale at ...497...> wrote:
>
>
>>>Has anyone created a computer (trap) that would be able to determine the
>>>source of the funlove virus on a network? If so, can you provide details.
>>>
>
> I recall seeing a free download at Symantec's site that claimed to do
> this. It's bound to be linked off their FunLove description page.
>
> Alternatively, setting up an NT/W2K/XP "honeypot" with an open share
> on the root of the Windows install drive and with full file system
> auditing enabled should allow you to track where FunLove's write
> attempts come from (you should, of course, monitor this machine very
> closely!).
>
>
>
--
V.Jay LaRosa EMC Corporation
Systems Administrator 171 South Street
(508)435-1000 ext 14957 Hopkinton, MA 01748
(508)497-8082 fax www.emc.com
More information about the Snort-sigs
mailing list