[Snort-sigs] NB! New Klez rules, old ones raise false positives

Shane Williams shanew at ...94...
Thu Jun 6 13:38:05 EDT 2002

On Thu, 6 Jun 2002, Christian Nesmark wrote:

> I am currently working on a set of rules for Klez recognition for my final 
> dissertation, and came across this from Chad Kreimendahl, claiming a hit 
> rate of 100%.

Well, I don't want to make your dissertation too easy :-), but I've been
using the following rule for several weeks now (both as a snort rule
and a modified procmail rule) on our department's server and I've not
seen any false positives in ~1200 alerts.

alert tcp any any -> any 25 (msg:"Virus - Klez"; \
content:"135AAItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCItE"; sid:10012; classtype:misc-activity; rev:1;)

I could be missing some false negatives, but my users tend to get
excitable over viruses, so I don't think I'm missing anything.  I've
also shared it with others and haven't heard anything back implying
that it's either too broad or too narrow.

Of course, that said, if in your research you have reason to believe
it's inaccurate in either direction, please let me know.

Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |                               
All syllogisms contain three lines |              shanew at ...94...
Therefore this is not a syllogism  |   www.gslis.utexas.edu/~shanew

More information about the Snort-sigs mailing list