[Snort-sigs] W32/SWEN.A signature

Jordi Herrero jherrero at ...1907...
Fri Sep 26 02:44:09 EDT 2003


It seems Microsoft patch KB824146 creates a false positive, if resp: rst_all
is active it means you can not send Microsoft patch over mail. I expect
patch downloads will be reset too.

Jordi Herrero.


----- Original Message -----
From: "pieter claassen" <pieter at ...1894...>
To: <snort-sigs at lists.sourceforge.net>
Sent: Tuesday, September 23, 2003 12:15 PM
Subject: [Snort-sigs] W32/SWEN.A signature


> Here is a signature for the swen.a worm. As listed, it will work with
> IPS and IDS flex response and will reject traffic (send a TCP reset to
> both sending and receiving MTA's). Note that we have seen some of the
> executables that have a slightly different base64 encoding and therefore
> will not match. Also, without TCP stream reassembly, you will still see
> some of the stuff getting through, but it will reduce the flood.
>
> reject tcp any any -> any 25 (msg:"SWEN.A Worm detected"; content:
> "|54|VqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAA"; sid:3000001; rev:2;
> classtype:misc-activity; resp: rst_all; reference:cve,CVE-2001-0154; )
>
> Regards,
> Pieter
> --
> Pieter Claassen
> CounterSnipe Technologies
> www.countersnipe.com
>
>
> Highview House
> Charles Square
> Bracknell
> Berskhire
> RG12 1DF
> United Kingdom
>
>
> Tel: +44(0) 1344 390 530
> Fax: +44(0) 1344 390 700
> Mobile: +44 (0) 776 6656 924
> email: pieter at ...1894...
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list