[Snort-sigs] worm_sobig.c?

Nigel Houghton nigel.houghton at ...435...
Mon Jun 2 06:24:07 EDT 2003


Sids 721 and 729 should already catch this activity.

Failing that, you have a couple of options, I would suggest looking for
the filename extension in a rule something like this:

alert tcp $HOME_NET 110 -> $EXTERNAL_NET any (msg:"Virus - Possible
Worm"; content: "filename="; content:".pif"; nocase; sid:; 
classtype:misc-activity; rev:;)

(just like sids 721 and 729) Which would detect infections eminating
from your pop server. If you get lots of false positives or if you want
to identify the worm more specifically, you could create a rule to match
each of the known attachment names instead. Also, if you wish to detect
incoming worms change the rule to something like:

alert tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_SERVERS (msg:"Virus -
Possible Worm"; content: "filename="; content:".pif"; nocase; sid:; 
classtype:misc-activity; rev:;)

Same thing applies with false positives. You will of course need to make
a rule for the .scr extension.

On Mon,  2 Jun 2003 13:19:02 +0200
Magnus Larsson <magnus.larsson at ...1524...> said something like:

: Can anyone help me to write a rule for the virus worm_sobig.c?
: 
: It can be found with help of this:
: 
: From: (any of the identified recipient addresses)
: Subject: (any of the following) 
: _ Re: Screensaver 
: _ Re: Movie 
: _ Re: Submited (004756-3463) 
: _ Re: 45443-343556 
: _ Re: Approved 
: _ Approved 
: _ Re: Your application 
: _ Re: Application
: Message Body: Please see the attached file. 
: Attachment: (any of the following) 
: _ screensaver.scr 
: _ movie.pif 
: _ submited.pif 
: _ 45443.pif 
: _ documents.pif 
: _ approved.pif 
: _ application.pif 
: _ document.pif 
: 
: I hope someone can help me out.
: 
: Best Regards,
: 
: Magnus
: 
: 
: 
: 
: -------------------------------------------------------
: This SF.net email is sponsored by: eBay
: Get office equipment for less on eBay!
: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
: _______________________________________________
: Snort-sigs mailing list
: Snort-sigs at lists.sourceforge.net
: https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------------
Nigel Houghton       Security Engineer        Sourcefire Inc.

"I have read of a place where humans do battle in a ring of Jell-O."




More information about the Snort-sigs mailing list