[Snort-sigs] Re: W32.Beagle.J Worm Signature?

Mark.Schutzmann at ...2233... Mark.Schutzmann at ...2233...
Thu Mar 4 08:02:02 EST 2004


I'm also filtering on keywords in the meantime, but you're right on about
the subjects possibly changing. The other reason to have a real signature
is because of the scenario where a user might have gotten the attachment
and copied it across the network, or even launched the contents.


                      RuthAnne Bevier                                                                                                            
                      <ruthanne at ...2296...>             To:       snort-sigs at lists.sourceforge.net                                              
                      Sent by:                           cc:                                                                                     
                      snort-sigs-admin at ...551...        Subject:  [Snort-sigs] Re: W32.Beagle.J Worm Signature?                                 
                      03/03/2004 11:54 PM                                                                                                        

I hope I'm not doing this wrong -- this is the first time
I've posted here and I get the list in digest mode.

I don't have a snort signature to offer per se, but fwiw,
Beagle.J and Beagle.K seem to use the same 7 possible subject
lines.  We've been successfully filtering on those.  Obviously
not a long-term fix since the worm writers will probably change
this, but for now it works.  See, e.g., the Symantec writeup for
a list of the seven subject lines:


RuthAnne Bevier
ITS Network Systems Security
California Institute of Technology
ruthanne at ...2296...

This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list