[Snort-sigs] Storm worm rule

Matt Jonkman jonkman at ...829...
Wed Feb 13 16:54:13 EST 2008


We've had this one covered in emerging threats sigs (botht he regular
edonkey and the encrypted ones) for a very long time now.

Were you running these, and if so were they not hitting?

Matt

Jason Haar wrote:
> Paul Schmehl wrote:
>> This is a packet capture of a known storm-infected host.  Normal data payload 
>> size is either 2 bytes or 25 bytes.
>>
>> 0000  00 0f 23 aa 37 40 00 0d  ed ac 93 40 81 00 00 02   ..#.7 at ...202... ... at ...552...
>> 0010  08 00 45 00 00 35 85 2b  00 00 74 11 ef 1c 81 6e   ..E..5.+ ..t....n
>> 0020  f1 06 80 67 df 93 f7 9b  1c 52 00 21 94 10 10 a6   ...g.... .R.!....
>> 0030  4b 69 53 29 56 b1 29 22  8b a9 ad 3c 22 0b 3a 8d   KiS)V.)" ...<".:.
>> 0040  e2 53 17 15 81 49 46                               .S...IF
>>
>> The signature |10 a6| at byte 47 is the indication of an encrypted eDonkey 
>> session (typically used by Storm along with UDP.
>>
>> So, would this be the correct syntax?  alert udp blah(msg:"blah"; dsize:2<>25; 
>> content:"|10 a6|"; offset:47; blah.  Or am I missing something?
>>
>>   
> Two bytes sounds like an invitation for FPs. In the 25 byte ones, are 
> there one or two more data segments where the chars are fixed? How about 
> the port numbers?
> 
> i.e. I'd say ignore the 2 byte packets and focus on the 25. I'm assuming 
> of course that the infected host generates both packets as part of its 
> normal traffic. I can't imagine exclusively using 2byte packets for all 
> communication would be very useful to it! :-)
> 
> (although if it did, that would be something you could write a 
> 'threshold' rule for...)
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc






More information about the Snort-sigs mailing list