[Snort-sigs] Sig for Worm Swen.a?

Robert Wagner rwagner at ...447...
Tue Sep 23 06:44:06 EDT 2003


Thanks to all that replied -

I am using Rule 2, and looked at the packets and made another rule.  I am
not sure exactly what I am keying off of (I picked it up out of the packets
following a bunch of AAAA's).  I think I am getting a slightly higher hit
rate.

alert tcp any any -> any 25 (msg:"Rule 2 W32/Gibe-F,Aliases-W32/Swen.A at ...110...,
discovered
";content:"|52306C474F446C68614141374150634141502F2F2F2B7270367075537036475A
7244556A555563365A6E35336D464A4D64624776765674586832787265386246317838635534
794C|";tag: session,300,packets ;rev:1; sid:2000016;)
alert tcp any any -> any 25 (msg:"Rule 3 W32/Gibe-F,Aliases-W32/Swen.A at ...110...,
discovered ";content:"1NP3//1P/lTD9//+JReSFwHQxgKQF0P7//wBqAY2";tag:
session,300,packets ;rev:1; sid:2000016;)

Let me know what you think.  (Or are there a couple different versions of
this worm and one doesn't talk back to the website?)

-----Original Message-----
From: Robert Wagner [mailto:rwagner at ...447...]
Sent: Monday, September 22, 2003 8:21 AM
To: Snort-Sigs (E-mail)
Subject: [Snort-sigs] Sig for Worm Swen.a?


Does anyone have a good signature for this worm?


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list