[Snort-sigs] NB! New Klez rules, old ones raise false positiv es
eastb at ...627...
Fri Jun 7 06:10:04 EDT 2002
> -----Original Message-----
> From: Shane Williams [mailto:shanew at ...94...]
> Sent: Thursday, June 06, 2002 4:36 PM
> To: Christian Nesmark
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] NB! New Klez rules, old ones raise false
> On Thu, 6 Jun 2002, Christian Nesmark wrote:
> > I am currently working on a set of rules for Klez
> recognition for my final
> > dissertation, and came across this from Chad Kreimendahl,
> claiming a hit
> > rate of 100%.
> Well, I don't want to make your dissertation too easy :-),
> but I've been
> using the following rule for several weeks now (both as a snort rule
> and a modified procmail rule) on our department's server and I've not
> seen any false positives in ~1200 alerts.
> alert tcp any any -> any 25 (msg:"Virus - Klez"; \
> IlEjwyLRI4IiUSPCItE"; sid:10012; classtype:misc-activity; rev:1;)
For what it is worth, I've been using the signature that Onie Camara posted
to this list on 4/25 on my (low volume) network and have gotten zero false
positives. Like you, I can't be sure if any copies of the virus have passed,
but my AV solution hasn't seen them either.
The signature was
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Virus - KLEZ on incoming
mail"; content:"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAA"; sid:720;
classtype:misc-activity; rev:3; resp:rst_all;)
More information about the Snort-sigs