[Snort-sigs] Storm worm rule

Paul Schmehl pauls at ...1311...
Wed Feb 13 17:02:15 EST 2008


--On Wednesday, February 13, 2008 13:54:13 -0800 Matt Jonkman 
<jonkman at ...829...> wrote:

> We've had this one covered in emerging threats sigs (botht he regular
> edonkey and the encrypted ones) for a very long time now.
>
> Were you running these, and if so were they not hitting?
>

Matt, if this is what you're referring to, it's not what I'm interested in.

alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"BLEEDING-EDGE 
TROJAN Storm Worm Encrypted Traffic Inbound - Likely Connect Ack"; dsize:2; 
threshold: type threshold, count 10, seconds 60, track by_dst; 
classtype:trojan-activity; sid:2007635; rev:1;)

There's no detection for the eDonkey protocol.  A dsize of 2 may be unusual, 
but it won't be unique.  Perhaps with the threshold false positives are 
reduced, but I'm trying to improve my snort-fu by writing rules that are 
extremely accurate in what they detect, and that requires protocol detection 
within the payload.

-- 
Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/





More information about the Snort-sigs mailing list