[Snort-sigs] Storm worm rule

Paul Schmehl pauls at ...1311...
Wed Feb 13 17:02:15 EST 2008

--On Wednesday, February 13, 2008 13:54:13 -0800 Matt Jonkman 
<jonkman at ...829...> wrote:

> We've had this one covered in emerging threats sigs (botht he regular
> edonkey and the encrypted ones) for a very long time now.
> Were you running these, and if so were they not hitting?

Matt, if this is what you're referring to, it's not what I'm interested in.

alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"BLEEDING-EDGE 
TROJAN Storm Worm Encrypted Traffic Inbound - Likely Connect Ack"; dsize:2; 
threshold: type threshold, count 10, seconds 60, track by_dst; 
classtype:trojan-activity; sid:2007635; rev:1;)

There's no detection for the eDonkey protocol.  A dsize of 2 may be unusual, 
but it won't be unique.  Perhaps with the threshold false positives are 
reduced, but I'm trying to improve my snort-fu by writing rules that are 
extremely accurate in what they detect, and that requires protocol detection 
within the payload.

Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas

More information about the Snort-sigs mailing list