[Snort-users] W32.Badtrans.B at ...4138...

John Sage jsage at ...2022...
Tue Nov 27 07:31:06 EST 2001


Brad:

This seems to be doing it for me:

alert tcp any 110 -> any any (msg:"Virus - Possible scr Worm";
  content: ".scr"; nocase; sid:729;  classtype:misc-activity; rev:3;)

This is in virus.rules in the 1.8.2 build 86 *nix release..


Results:

[**] Virus - Possible scr Worm [**]
11/25-09:24:33.110806 216.21.229.220:110 -> 12.82.129.39:63728
TCP TTL:50 TOS:0x0 ID:60154 IpLen:20 DgmLen:1014 DF
***AP*** Seq: 0x735E1172  Ack: 0xE8893930  Win: 0x7D78  TcpLen: 32
TCP Options (3) => NOP NOP TS: 50653281 30268773
2D 2D 3D 3D 3D 3D 5F 41 42 43 30 39 38 37 36 35  --====_ABC098765
34 33 32 31 44 45 46 5F 3D 3D 3D 3D 2D 2D 0D 0A  4321DEF_====--..
0D 0A 2D 2D 3D 3D 3D 3D 5F 41 42 43 31 32 33 34  ..--====_ABC1234
35 36 37 38 39 30 44 45 46 5F 3D 3D 3D 3D 0D 0A  567890DEF_====..
43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 75  Content-Type: au
64 69 6F 2F 78 2D 77 61 76 3B 0D 0A 09 20 6E 61  dio/x-wav;... na
6D 65 3D 22 6E 65 77 73 5F 64 6F 63 2E 44 4F 43  me="news_doc.DOC
2E 73 63 72 22 0D 0A 43 6F 6E 74 65 6E 74 2D 54  .scr"..Content-T
72 61 6E 73 66 65 72 2D 45 6E 63 6F 64 69 6E 67  ransfer-Encoding
3A 20 62 61 73 65 36 34 0D 0A 43 6F 6E 74 65 6E  : base64..Conten
74 2D 49 44 3A 20 3C 45 41 34 44 4D 47 42 50 39  t-ID: <EA4DMGBP9
70 3E 0D 0A 0D 0A 54 56 71 51 41 41 4D 41 41 41  p>....TVqQAAMAAA
41 45 41 41 41 41 2F 2F 38 41 41 4C 67 41 41 41  AEAAAA//8AALgAAA

<snip>




bthaler at ...2720... wrote:

> Does anyone have a rule for the new W32.Badtrans.B at ...4138... virus going around?
> I'm getting flooded with it, and was hoping to be able to keep track of it.
> 







More information about the Snort-users mailing list