[Snort-sigs] NB! New Klez rules, old ones raise false positiv es

East, Bill eastb at ...627...
Fri Jun 7 06:10:04 EDT 2002

> -----Original Message-----
> From: Shane Williams [mailto:shanew at ...94...]
> Sent: Thursday, June 06, 2002 4:36 PM
> To: Christian Nesmark
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] NB! New Klez rules, old ones raise false
> positives
> On Thu, 6 Jun 2002, Christian Nesmark wrote:
> > I am currently working on a set of rules for Klez 
> recognition for my final 
> > dissertation, and came across this from Chad Kreimendahl, 
> claiming a hit 
> > rate of 100%.
> Well, I don't want to make your dissertation too easy :-), 
> but I've been
> using the following rule for several weeks now (both as a snort rule
> and a modified procmail rule) on our department's server and I've not
> seen any false positives in ~1200 alerts.
> alert tcp any any -> any 25 (msg:"Virus - Klez"; \
> content:"135AAItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJRI8Qi0SOD
> IlEjwyLRI4IiUSPCItE"; sid:10012; classtype:misc-activity; rev:1;)
For what it is worth, I've been using the signature that Onie Camara posted
to this list on 4/25 on my (low volume) network and have gotten zero false
positives. Like you, I can't be sure if any copies of the virus have passed,
but my AV solution hasn't seen them either.

The signature was 
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Virus - KLEZ on incoming
mail"; content:"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAA"; sid:720;
classtype:misc-activity; rev:3; resp:rst_all;)

More information about the Snort-sigs mailing list