[Snort-sigs] Storm worm rule

Paul Schmehl pauls at ...1311...
Wed Feb 13 17:05:53 EST 2008

--On Wednesday, February 13, 2008 13:54:13 -0800 Matt Jonkman 
<jonkman at ...829...> wrote:

> We've had this one covered in emerging threats sigs (botht he regular
> edonkey and the encrypted ones) for a very long time now.
> Were you running these, and if so were they not hitting?

OK, this is more like it.

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN 
Storm Worm Encrypted Variant 1 Traffic (1)"; dsize:25; content:"|10 a6 d4 c3|"; 
depth:4; threshold: type both, count 1, seconds 60, track by_src; 
classtype:trojan-activity; sid:2007701; rev:2;)

But there's no offset, so it could still false positive *and* the d4 c3 won't 
be in every packet (as you can see from the capture that I posted) whereas the 
10 a6 will be in every packet (10 a6 is the encrypted protocol signature for 

Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas

More information about the Snort-sigs mailing list