[Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a?

Shane Williams shanew at ...94...
Wed May 21 06:37:10 EDT 2003

On 21 May 2003, Burak DAYIOGLU wrote:

> On Tue, 2003-05-20 at 18:04, Robert Reid wrote:
> > Just loaded this rule on two sensors and immediately started gettings 1000's
> > of false postives per min.
> > Robert
> Are you sure that the alerts are merely false positives? I believe that
> you are infected ;)

I would recommend you check this possibility as well.  When I was
testing, I saw the number of alerts jump quickly beyond 200, and I
knew our server had only received about 70 or so.  Took me a minute to
realize one of our users was already infected and had sent out well
over 100 copies from his machine.

> The below rule is one of the longest pattern matching rules in the whole
> snort ruleset, I don't suspect it to generate much false positives.
> (Actually, such long patterns *generally* cause false negatives at all
> :)

True.  If anyone has legitimate false negatives or positives, please
send me a packet capture, and if it's a false negative, a copy of the
email that passed through.  So far, it looks good on both points on my
end, but I only have about 800 users.

Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |      System Admin - UT iSchool
All syllogisms contain three lines |              shanew at ...94...
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew

More information about the Snort-sigs mailing list