[Snort-sigs] Storm worm rule

Matt Jonkman jonkman at ...829...
Wed Feb 13 17:03:32 EST 2008


If you search the wiki for "storm worm" there are a number of hits, some
of the rules are gone now though (failed experiments on just tracking
dsize in udp).

But these two ought to catch what you're looking for:

http://doc.emergingthreats.net/bin/view/Main/2007701
http://doc.emergingthreats.net/bin/view/Main/2007702

And if you run the regular edonkey sigs you'll catch the old
non-encrypted variant quite well.

http://doc.emergingthreats.net/bin/view/Main/WebSearch?search=edonkey


As for the search: what can I do to make that easier? Did you just
search the main site vs the wiki?

matt


Paul Schmehl wrote:
> --On Wednesday, February 13, 2008 13:54:13 -0800 Matt Jonkman 
> <jonkman at ...829...> wrote:
> 
>> We've had this one covered in emerging threats sigs (botht he regular
>> edonkey and the encrypted ones) for a very long time now.
>>
>> Were you running these, and if so were they not hitting?
>>
> 
> No, I don't run the emerging threats rules.  I tried searching for storm worm 
> on your site, but I didn't find rules that address this particular packet sig. 
> Perhaps I'm not searching correctly?
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc






More information about the Snort-sigs mailing list