[Snort-sigs] Ginwin improvments?

Ureleet Ureleet ureleet at ...2420...
Fri May 26 06:15:03 EDT 2006


Joe thanks!!

So we could write a follow up rule like:
alert tcp $HOME_NET -> $EXTERNAL_NET 80 (msg:"GINWIN Virus Post
attempt"; flow:to_server,stateless; content:"POST|20 2f
20|HTTP|2f|1|2e|1"; depth:15; content:"Host|3a|"; within:3; depth:5;
content:"scfzf.xicp.net"; distance:1; depth:14; sid:91919191; rev:1;)

And a second rule could be written to be similiar.  Again, until (or
if VRT) puts one out, this may suffice.
I didn't used "established" in the flow because according to the pcap,
no session is established, would need further research to determine.

There may not be a good way to detect this before to infection..  IDS != AV





>On Friday 26 May 2006 08:47, Ureleet Ureleet wrote:
> > > I do not have a pcap for it.  This was a preemptive signature based
> > > off of the virus info.  Please not to write me asking for pcap
> > > anymore.  If I had one, it would be given to the people at VRT.
>
> Here's a (sandnet-collected, so the IPs are not real) pcap of the DNS
> request and the initial HTTP post to one of the two hosts.
>
> -Joe

> -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/




More information about the Snort-sigs mailing list