[Snort-sigs] Quickie rule to catch the new price.zip virus going around
matt at ...2436...
Tue Aug 10 18:19:44 EDT 2004
Paul Tinsley wrote:
> I am going to suggest the use of mine over the one you posted using
> pcre as there are more name variations out there than you have in the
> sig. Thats why I used "within" to try and catch more randomization in
> the file name. Granted mine will fire on any *price*.zip file (with
> no longer than 10 characters before or after price) but there will be
> less false negatives.
I'd agree, but I don't see any docs showing that there are any other
filenames in use for this particular worm. If there were variations your
way would certainly be better, and definitely more elegant. :)
But I think for this one if the filenames stay in this range they'll be
reliably caught with this method.
But of course if there is evidence somewhere that there are more
variations we can change over to your method.
> The other thing you need to be careful with is the fact that this worm
> finds email addresses on the box it infects and looks at the MX record
> of the domain it is sending mail to. If your users don't have many
> external contacts most of the attacks will be on internal addresses.
> If your MX mail servers live inside of your HOME_NET and you have a
> default EXTERNAL_NET (!$HOME_NET,) you won't fire if the worm is using
> your servers to send mail.
THat's a good point. Hopefully we'd catch the multiple smtp connections
for the mail being sent with other rules in effect, but if they're on
exchange we'd not see that. But the odds of not having a single external
domain on a box are pretty slim. I think every box would have at least
microsoft.com, or whatever mail client they're using in there somewhere.
What would be ideal is a packet dump of the actual worm binary that we
could extract a unique string from and look for that on all ports, but
that would be a lot of overhead for snort so string match every packet
on every port.
> Another thing that might help reduce false positives, if you are only
> looking for infected clients is to make a pass copy of the rule:
> pass $SMTP_SERVERS any -> any 25 (rule junk here...)
Very good point. I'll leave that out of the bleeding rules though to
Thanks very much for the ideas. Much appreciated.
More information about the Snort-sigs