[Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a?
Robert Reid
rreid at ...414...
Tue May 20 08:07:24 EDT 2003
Just loaded this rule on two sensors and immediately started gettings 1000's
of false postives per min.
Robert
-----Original Message-----
From: Shane Williams [mailto:shanew at ...94...]
Sent: Monday, May 19, 2003 5:27 PM
To: Magnus Larsson
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a?
On Mon, 19 May 2003, Magnus Larsson wrote:
> Hi there!
>
> Are there a signature for the worm_palyh.a virus and the pe_ganda.a
> virus? Or does anyone know how to write it?
I'm working on one right now. Here's a first go (I'm running 1.8.6, so
pardon the old style rule):
alert tcp any any -> any 25 (msg:"Possible Palyh virus in SMTP"; \
content:"2f6LwTPJiUgEAggMEMcAQEJBAMP9d///Vovx6AoAAC/2RCQIAXQHVgyEWlmLxl7CBAA
H2X7fG4tG"; \ sid:9000018; classtype:misc-activity; rev:1;)
I'm running it on traffic dumps from today so I can compare it with info
from a virus scan on our mailserver, but so far it looks good, with no false
positives or negatives.
Please let me know how it works.
--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines | shanew at ...94...
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore. Now part
of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
More information about the Snort-sigs
mailing list