[Snort-sigs] Worm Signatures

Chintan Gosalia chintan_cmpe at ...144...
Tue Apr 6 12:15:07 EDT 2004

Hi all,

This issue has been discussed several times on the bulletin. But i have not found any concrete answer. What can be the best way to come up with signatures for various worms? Should one just pick up the payload for the worm and choose any random string and make it a signature?? Or is there any more concrete method? As most of the worms are in .zip, .pif etc. attachments, the payload we see is either compressed form of actual files? So what can be the best way to come up with sigantures for them with respect to generating the least false positives.

Any help is appreciated.


Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway - Enter today
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040406/dca0191c/attachment.html>

More information about the Snort-sigs mailing list