[Snort-sigs] Quickie rule to catch the new price.zip virus going around

Matthew Jonkman matt at ...2436...
Mon Aug 9 14:58:08 EDT 2004


We've got a few more on bleedingsnort.com as well, the first was up 
about 3 and a half hours ago. I think my posts on it are still coming to 
the list.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Bagle Variant Requesting 2.jpg"; 
reference:url,http.isc.sans.org/diary.php?date=2004-08-09; content:"GET 
/2.jpg"; sid:2001061; rev:3;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Bagle Variant Checking In"; 
reference:url,vil.nai.com/vil/content/v_127423.htm; 
uricontent:"/spyware.php"; sid:2001064; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS 
Possible Bagle.AQ Worm Outbound"; content:"filename="; 
pcre:"m/(price2|new_price|08_price|newprice|new_price|price_new|price|price_08).zip/"; 
nocase; sid:2001065; rev:1;)

Matt

Paul Tinsley wrote:
> Comments welcome, as I said written in a hurry, seems to work in my
> environment just fine.  If you are sitting somewhere that you can see
> traffic between mail servers you may need to add a pass rule for the
> mail servers as a source so they don't show up as infected sources.
> 
> alert tcp any any -> any 25 (msg:"Price Virus traffic
> (WORM_Bagle.AC)"; sid:1200035; rev:1;
> reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.AC;
> content:"filename="; content:"price"; within: 10; content: ".zip";
> within: 10;)
> 
> Thanks,
>           Paul Tinsley
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list