[Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a?

Magnus Larsson magnus.larsson at ...1524...
Tue May 20 12:28:12 EDT 2003


I loaded this on one sensor where I know for 100% sure I have this virus 
active and I haven't got one single false positive yet. Is there more than one 
version of this virus in the free? What were the actual data on the false 
positives you recieved?

Best Regards,

Magnus


Quoting Robert Reid <rreid at ...414...>:

> Just loaded this rule on two sensors and immediately started gettings 1000's
> of false postives per min.
> 
> Robert
> 
> 
> -----Original Message-----
> From: Shane Williams [mailto:shanew at ...94...] 
> Sent: Monday, May 19, 2003 5:27 PM
> To: Magnus Larsson
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a?
> 
> 
> On Mon, 19 May 2003, Magnus Larsson wrote:
> 
> > Hi there!
> > 
> > Are there a signature for the worm_palyh.a virus and the pe_ganda.a 
> > virus? Or does anyone know how to write it?
> 
> I'm working on one right now.  Here's a first go (I'm running 1.8.6, so
> pardon the old style rule):
> 
> alert tcp any any -> any 25 (msg:"Possible Palyh virus in SMTP"; \
> content:"2f6LwTPJiUgEAggMEMcAQEJBAMP9d///Vovx6AoAAC/2RCQIAXQHVgyEWlmLxl7CBAA
> H2X7fG4tG"; \ sid:9000018; classtype:misc-activity; rev:1;)
> 
> I'm running it on traffic dumps from today so I can compare it with info
> from a virus scan on our mailserver, but so far it looks good, with no false
> positives or negatives.
> 
> Please let me know how it works.
> 
> -- 
> Public key #7BBC68D9 at            |                 Shane Williams
> http://pgp.mit.edu/                |      System Admin - UT iSchool
> =----------------------------------+-------------------------------
> All syllogisms contain three lines |              shanew at ...94...
> Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: ObjectStore.
> If flattening out C++ or Java code to make your application fit in a
> relational database is painful, don't do it! Check out ObjectStore. Now part
> of Progress Software. http://www.objectstore.net/sourceforge
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 








More information about the Snort-sigs mailing list