[Snort-sigs] Storm worm rule

Paul Schmehl pauls at ...1311...
Wed Feb 13 18:03:14 EST 2008


--On Wednesday, February 13, 2008 14:03:32 -0800 Matt Jonkman 
<jonkman at ...829...> wrote:

> If you search the wiki for "storm worm" there are a number of hits, some
> of the rules are gone now though (failed experiments on just tracking
> dsize in udp).
>
> But these two ought to catch what you're looking for:
>
> http://doc.emergingthreats.net/bin/view/Main/2007701
> http://doc.emergingthreats.net/bin/view/Main/2007702
>
> And if you run the regular edonkey sigs you'll catch the old
> non-encrypted variant quite well.
>
> http://doc.emergingthreats.net/bin/view/Main/WebSearch?search=edonkey
>
>
> As for the search: what can I do to make that easier? Did you just
> search the main site vs the wiki?

I originally searched the main website for "storm worm" which turned up nothing 
except links to news items and a sig for the download of the valentine worm. 
When I searched the wiki for "Storm worm" I found the rules.

-- 
Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/





More information about the Snort-sigs mailing list