[Snort-sigs] Storm worm rule

Paul Schmehl pauls at ...1311...
Wed Feb 13 19:06:26 EST 2008


--On Wednesday, February 13, 2008 16:17:35 -0600 David Thomason 
<dthomason at ...3341...> wrote:

> This rule would not trigger on the packet you provided for at least two
> reasons.  1.  The content doesn't match.  2) the dsize is > 25.
>
> In your description you said "Normal data payload size is either 2 bytes or
> 25 bytes".  Since the offset is 46 (start counting at zero) your payload has
> to be longer than 25 bytes.
> Are you implying that the data payload is different than the setup payload?
> If so, you need to use at least two rules.  The first would set a flag if |10
> A6| is in the appropriate position and the second rule would check the flag
> and then the dsize.
>

I was wrong about the offset.  The |10 a6| bytes are the first two of the 
payload.

-- 
Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/





More information about the Snort-sigs mailing list