[Snort-sigs] Sinit rule anyone?

Matt Kettler mkettler at ...189...
Tue Dec 9 13:36:03 EST 2003


At 06:03 AM 12/9/2003, Meij, Ewout {PGIN~Kaiseraugst} wrote:
>Has someone a working rule for the sinit (a.k.a. Calyps.a or Calypso)[1]
>worm?

Well the TCP mode of spread is pretty easy to write a rule for.

This should detect any tcp-mode requests for calypso on a host.

alert tcp any any -> any 53 (msg:"Calypso tcp mode request"; 
flow:to_server,established; content: "kx.exe"; nocase; sid:1000000;rev:1;);

adjust the SID, source IP and dest IP specs to suit your needs.

The UDP mode is a bit trickier to do without FPs just based on the limited 
information on that website.

They state that it's udp/53 but also does udp/<somehighport>. Packets start 
with a 0x01-0x06 byte, followed by up to 511 more bytes.

Unfortunately the first two bytes of a DNS request are the ID field. This 
field should be random, thus can be anything for legitimate DNS traffic, 
including 0x01-0x06.






More information about the Snort-sigs mailing list