[Snort-sigs] Storm worm rule
pauls at ...1311...
Wed Feb 13 19:06:26 EST 2008
--On Wednesday, February 13, 2008 16:17:35 -0600 David Thomason
<dthomason at ...3341...> wrote:
> This rule would not trigger on the packet you provided for at least two
> reasons. 1. The content doesn't match. 2) the dsize is > 25.
> In your description you said "Normal data payload size is either 2 bytes or
> 25 bytes". Since the offset is 46 (start counting at zero) your payload has
> to be longer than 25 bytes.
> Are you implying that the data payload is different than the setup payload?
> If so, you need to use at least two rules. The first would set a flag if |10
> A6| is in the appropriate position and the second rule would check the flag
> and then the dsize.
I was wrong about the offset. The |10 a6| bytes are the first two of the
Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas
More information about the Snort-sigs