[Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a?

Robert Reid rreid at ...414...
Tue May 20 08:07:24 EDT 2003

Just loaded this rule on two sensors and immediately started gettings 1000's
of false postives per min.


-----Original Message-----
From: Shane Williams [mailto:shanew at ...94...] 
Sent: Monday, May 19, 2003 5:27 PM
To: Magnus Larsson
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a?

On Mon, 19 May 2003, Magnus Larsson wrote:

> Hi there!
> Are there a signature for the worm_palyh.a virus and the pe_ganda.a 
> virus? Or does anyone know how to write it?

I'm working on one right now.  Here's a first go (I'm running 1.8.6, so
pardon the old style rule):

alert tcp any any -> any 25 (msg:"Possible Palyh virus in SMTP"; \
H2X7fG4tG"; \ sid:9000018; classtype:misc-activity; rev:1;)

I'm running it on traffic dumps from today so I can compare it with info
from a virus scan on our mailserver, but so far it looks good, with no false
positives or negatives.

Please let me know how it works.

Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |      System Admin - UT iSchool
All syllogisms contain three lines |              shanew at ...94...
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew

This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore. Now part
of Progress Software. http://www.objectstore.net/sourceforge
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list