[Snort-sigs] Re: W32.Beagle.J Worm Signature?

Mark.Schutzmann at ...2233... Mark.Schutzmann at ...2233...
Thu Mar 4 08:02:02 EST 2004


RuthAnne,

I'm also filtering on keywords in the meantime, but you're right on about
the subjects possibly changing. The other reason to have a real signature
is because of the scenario where a user might have gotten the attachment
and copied it across the network, or even launched the contents.

Thanks,
Mark


                                                                                                                                                 
                      RuthAnne Bevier                                                                                                            
                      <ruthanne at ...2296...>             To:       snort-sigs at lists.sourceforge.net                                              
                      Sent by:                           cc:                                                                                     
                      snort-sigs-admin at ...551...        Subject:  [Snort-sigs] Re: W32.Beagle.J Worm Signature?                                 
                      ceforge.net                                                                                                                
                                                                                                                                                 
                                                                                                                                                 
                      03/03/2004 11:54 PM                                                                                                        
                                                                                                                                                 
                                                                                                                                                 




I hope I'm not doing this wrong -- this is the first time
I've posted here and I get the list in digest mode.

I don't have a snort signature to offer per se, but fwiw,
Beagle.J and Beagle.K seem to use the same 7 possible subject
lines.  We've been successfully filtering on those.  Obviously
not a long-term fix since the worm writers will probably change
this, but for now it works.  See, e.g., the Symantec writeup for
a list of the seven subject lines:
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.j@...1512...


     --RuthAnne

--
RuthAnne Bevier
ITS Network Systems Security
California Institute of Technology
626-395-2671
ruthanne at ...2296...
http://www.its.caltech.edu/its/security/




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs









More information about the Snort-sigs mailing list