[Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a? .....can you give me some pointers. (fwd)

Dale L. Handy dhandy at ...1244...
Tue May 20 14:46:04 EDT 2003


I think you just need to 'escape' the colon (:), i.e., put a backslash 
(\) in front of it:

alert tcp $EXTERNAL_NET any -> any 25 \
(flow:to_server,established;\
content:"From\:support at ...1526...";nocase;\
content:"| 2E 70 69 66 |"; distance: 4; within: 4;\
byte_test: 4, >, 15,0,relative,string;\
msg:"Incoming manhkX worm to mail server";)

I am not where I can test it right now, but I'll try to do so later...


daniel.clemens wrote:

>I was playing around last night with some of these rules hoping to get
>some feedback from some friends.
>I haven't gotten to test these in a production environment since I don't
>have the actual virus but thought I would pass along portions of the
>conversation for the list members consumption and possible some correction
>from Brian on the rule format.
>
>
>
> > >  alert tcp $EXTERNAL_NET any -> any 25 \
>  
>
>>> (flow:to_server,established;\
>>> content:"From"; content:"support at ...1526...";nocase;distance:1;\
>>> content:"| 2E 70 69 66 |"; distance: 4; within: 4;\
>>> byte_test: 4, >, 15,0,relative,string;\
>>> msg:"Incoming manhkX worm to mail server";)
>>>      
>>>
>>hmmm... Why not check for "From: support at ...253..."? What's the reasoning for
>>splitting this into two content sections? I'm not sure about
>>distance:1... perhaps Jeff can comment on that, but something doesn't
>>look right about it.
>>    
>>
>
>Well, I was thinking From:support at ...1526..., when I had the ':' char
>in there i kept getting the following error:
>
>ERROR: /usr/local/snort/rules//local.rules(12) => ParsePattern Got Null
>enclosed in quotation marks (")! if I had it setup like so:
>
> alert tcp $EXTERNAL_NET any -> any 25 \
> (flow:to_server,established;\
> content:"From:support at ...1526...";nocase;\
> content:"| 2E 70 69 66 |"; distance: 4; within: 4;\
> byte_test: 4, >, 15,0,relative,string;\
> msg:"Incoming manhkX worm to mail server";)
>
>So I thought I would have the 'from' and then support at ...1526..., and
>have the two patterns one byte away from each other since I was assuming
>there would probably be a : char between the two..(but i kept getting that
>error'... i guess I should read up on why I can' t put that in there but i
>kinda hacked the sig to get it to work...
>
>patience is a virtue sometimes..
>
>
>-Daniel Uriah Clemens
>-------------------------------------------------------------------------------------------------------------
>Esse quam videra
>    		(to be, rather than to appear)
>http://www.birmingham-infragard.org   | 2053284200 | 877.806.8928
>--------------------------------------------------------------------------------------------------------------
>
>
>
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: ObjectStore.
>If flattening out C++ or Java code to make your application fit in a
>relational database is painful, don't do it! Check out ObjectStore.
>Now part of Progress Software. http://www.objectstore.net/sourceforge
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>  
>

-- 
"The trouble with doing something right the first time 
 is that nobody appreciates how difficult it was."

-- Dale L. Handy, P.E.
   dale at ...1527...          (208) 552-5332 (work)          (208) 403-6424 (cell)






More information about the Snort-sigs mailing list