[Snort-sigs] Storm worm rule

Matt Jonkman jonkman at ...829...
Wed Feb 13 17:03:32 EST 2008

If you search the wiki for "storm worm" there are a number of hits, some
of the rules are gone now though (failed experiments on just tracking
dsize in udp).

But these two ought to catch what you're looking for:


And if you run the regular edonkey sigs you'll catch the old
non-encrypted variant quite well.


As for the search: what can I do to make that easier? Did you just
search the main site vs the wiki?


Paul Schmehl wrote:
> --On Wednesday, February 13, 2008 13:54:13 -0800 Matt Jonkman 
> <jonkman at ...829...> wrote:
>> We've had this one covered in emerging threats sigs (botht he regular
>> edonkey and the encrypted ones) for a very long time now.
>> Were you running these, and if so were they not hitting?
> No, I don't run the emerging threats rules.  I tried searching for storm worm 
> on your site, but I didn't find rules that address this particular packet sig. 
> Perhaps I'm not searching correctly?

Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Snort-sigs mailing list