[Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a?

Robert Reid rreid at ...414...
Tue May 20 08:07:24 EDT 2003


Just loaded this rule on two sensors and immediately started gettings 1000's
of false postives per min.

Robert


-----Original Message-----
From: Shane Williams [mailto:shanew at ...94...] 
Sent: Monday, May 19, 2003 5:27 PM
To: Magnus Larsson
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a?


On Mon, 19 May 2003, Magnus Larsson wrote:

> Hi there!
> 
> Are there a signature for the worm_palyh.a virus and the pe_ganda.a 
> virus? Or does anyone know how to write it?

I'm working on one right now.  Here's a first go (I'm running 1.8.6, so
pardon the old style rule):

alert tcp any any -> any 25 (msg:"Possible Palyh virus in SMTP"; \
content:"2f6LwTPJiUgEAggMEMcAQEJBAMP9d///Vovx6AoAAC/2RCQIAXQHVgyEWlmLxl7CBAA
H2X7fG4tG"; \ sid:9000018; classtype:misc-activity; rev:1;)

I'm running it on traffic dumps from today so I can compare it with info
from a virus scan on our mailserver, but so far it looks good, with no false
positives or negatives.

Please let me know how it works.

-- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |      System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines |              shanew at ...94...
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew



-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore. Now part
of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list