[Snort-sigs] SigSuggest : Sober.F

Benoit Donneaux benoit.donneaux at ...2373...
Tue Apr 6 06:24:07 EDT 2004


Hello,


I'm looking for sig designers to help to maintain our IDS quickly as 
possible...
But I don't know if this mailing list is the right place.

For Sober.F, I suggest :

alert tcp any any -> any 25 ( sid: 10000038; rev: 2; msg: "Sober.F 
Attachment (zip)"; content: "Content-Disposition: attachment; 
filename="; content: "NlJhIn5GWj4mcjUifkZaMmpGejZpImom"; within: 1280; 
nocase; flow: to_server,established; 
reference:url,www.secuser.com/alertes/2004/soberf.htm; classtype: 
trojan-activity;)
alert tcp any any -> any 25 ( sid: 10000039; rev: 2; msg: "Sober.F 
Attachment (pif)"; content: "Content-Disposition: attachment; 
filename="; content: "dllygSJ+Rlp2YjEiblZtIm4uJlVtaSJu"; within: 1280; 
nocase; flow: to_server,established; 
reference:url,www.secuser.com/alertes/2004/soberf.htm; classtype: 
trojan-activity;)

But I don't know which SIGID use, so I use personnal SIGID as 10000038...

I want to define a regular method to design rules matching this kind of 
virus :

1) Match the attachment prefix : "Content-Disposition: attachment; 
filename="
2) Match 32 bytes extract from the 1024th byte of the base64 virus file 
in each format (pif, zip, exe...).
3) Verify extracted string is "within" the 1028 first bytes.



BeN
-- 
Donneaux Benoit
Net & Sec Admin
NRB - Herstal
+32 4 249 77 18
+32 473 931 249





More information about the Snort-sigs mailing list