[Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a? .....can you give me some pointers. (fwd)

daniel.clemens daniel_clemens at ...842...
Tue May 20 08:29:14 EDT 2003


I was playing around last night with some of these rules hoping to get
some feedback from some friends.
I haven't gotten to test these in a production environment since I don't
have the actual virus but thought I would pass along portions of the
conversation for the list members consumption and possible some correction
from Brian on the rule format.



 > >  alert tcp $EXTERNAL_NET any -> any 25 \
> >  (flow:to_server,established;\
> >  content:"From"; content:"support at ...1526...";nocase;distance:1;\
> >  content:"| 2E 70 69 66 |"; distance: 4; within: 4;\
> >  byte_test: 4, >, 15,0,relative,string;\
> >  msg:"Incoming manhkX worm to mail server";)
>
> hmmm... Why not check for "From: support at ...253..."? What's the reasoning for
> splitting this into two content sections? I'm not sure about
> distance:1... perhaps Jeff can comment on that, but something doesn't
> look right about it.

Well, I was thinking From:support at ...1526..., when I had the ':' char
in there i kept getting the following error:

ERROR: /usr/local/snort/rules//local.rules(12) => ParsePattern Got Null
enclosed in quotation marks (")! if I had it setup like so:

 alert tcp $EXTERNAL_NET any -> any 25 \
 (flow:to_server,established;\
 content:"From:support at ...1526...";nocase;\
 content:"| 2E 70 69 66 |"; distance: 4; within: 4;\
 byte_test: 4, >, 15,0,relative,string;\
 msg:"Incoming manhkX worm to mail server";)

So I thought I would have the 'from' and then support at ...1526..., and
have the two patterns one byte away from each other since I was assuming
there would probably be a : char between the two..(but i kept getting that
error'... i guess I should read up on why I can' t put that in there but i
kinda hacked the sig to get it to work...

patience is a virtue sometimes..


-Daniel Uriah Clemens
-------------------------------------------------------------------------------------------------------------
Esse quam videra
    		(to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200 | 877.806.8928
--------------------------------------------------------------------------------------------------------------







More information about the Snort-sigs mailing list