[Snort-sigs] Storm worm rule

Paul Schmehl pauls at ...1311...
Wed Feb 13 17:05:53 EST 2008


--On Wednesday, February 13, 2008 13:54:13 -0800 Matt Jonkman 
<jonkman at ...829...> wrote:

> We've had this one covered in emerging threats sigs (botht he regular
> edonkey and the encrypted ones) for a very long time now.
>
> Were you running these, and if so were they not hitting?
>

OK, this is more like it.

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN 
Storm Worm Encrypted Variant 1 Traffic (1)"; dsize:25; content:"|10 a6 d4 c3|"; 
depth:4; threshold: type both, count 1, seconds 60, track by_src; 
classtype:trojan-activity; sid:2007701; rev:2;)

But there's no offset, so it could still false positive *and* the d4 c3 won't 
be in every packet (as you can see from the capture that I posted) whereas the 
10 a6 will be in every packet (10 a6 is the encrypted protocol signature for 
eDonkey.)

-- 
Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/





More information about the Snort-sigs mailing list