[Snort-sigs] Important

Chintan Gosalia chintan_cmpe at ...144...
Tue Apr 6 11:33:05 EDT 2004


Hi all,
 
I have a question for the signature being posted and shown below.
 
alert tcp any any -> any 25 ( sid: 10000038; rev: 2; msg: "Sober.F 
Attachment (zip)"; content: "Content-Disposition: attachment; 
filename="; content: "NlJhIn5GWj4mcjUifkZaMmpGejZpImom"; within: 1280; 
nocase; flow: to_server,established; 
reference:url,www.secuser.com/alertes/2004/soberf.htm; classtype: 
trojan-activity;)

It matches the last pattern within the next 1280  bytes. I think most of the SMTP packets are 512 bytes chunks. So does snort support multiple packet content matching? I think all the contents should be within a single packet and they can not span across multiple packets. 
 
Please correct me if I am wrong, as it will be helpful regarding in rectifying my  understanding for snort.
 
Thanks in advance.
Chintan

Benoit Donneaux <benoit.donneaux at ...2373...> wrote:
Hello,


I'm looking for sig designers to help to maintain our IDS quickly as 
possible...
But I don't know if this mailing list is the right place.

For Sober.F, I suggest :

alert tcp any any -> any 25 ( sid: 10000038; rev: 2; msg: "Sober.F 
Attachment (zip)"; content: "Content-Disposition: attachment; 
filename="; content: "NlJhIn5GWj4mcjUifkZaMmpGejZpImom"; within: 1280; 
nocase; flow: to_server,established; 
reference:url,www.secuser.com/alertes/2004/soberf.htm; classtype: 
trojan-activity;)
alert tcp any any -> any 25 ( sid: 10000039; rev: 2; msg: "Sober.F 
Attachment (pif)"; content: "Content-Disposition: attachment; 
filename="; content: "dllygSJ+Rlp2YjEiblZtIm4uJlVtaSJu"; within: 1280; 
nocase; flow: to_server,established; 
reference:url,www.secuser.com/alertes/2004/soberf.htm; classtype: 
trojan-activity;)

But I don't know which SIGID use, so I use personnal SIGID as 10000038...

I want to define a regular method to design rules matching this kind of 
virus :

1) Match the attachment prefix : "Content-Disposition: attachment; 
filename="
2) Match 32 bytes extract from the 1024th byte of the base64 virus file 
in each format (pif, zip, exe...).
3) Verify extracted string is "within" the 1028 first bytes.



BeN
-- 
Donneaux Benoit
Net & Sec Admin
NRB - Herstal
+32 4 249 77 18
+32 473 931 249



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

---------------------------------
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway - Enter today
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040406/45851f82/attachment.html>


More information about the Snort-sigs mailing list