[Snort-users] scr Worm - false alarms

Frank Knobbe fknobbe at ...652...
Sun Feb 3 12:55:03 EST 2002


On Sun, 2002-01-27 at 22:50, Wolfgang Rohdewald wrote:
> this string results in a warning:
> 
> 65 69 76 65 64 3A 20 66 72 6F 6D 20 61 64 73 6C  eived: from adsl
> 2D 36 34 2D 31 36 34 2D 33 36 2D 35 37 2E 64 73  -64-164-36-57.ds
> 6C 2E 73 63 72 6D 30 31 2E 70 61 63 62 65 6C 6C  l.scrm01.pacbell
> 2E 6E 65 74 20 28 48 45 4C 4F 20 64 73 6C 2E 6C  .net (HELO dsl.l
> 6F 63 61 6C 29 20 28 72 6F 6F 74 40 36 34 2E 31  ocal) (root at ...4700...
> 
> caused by this rule:
> 
> alert tcp any 110 -> any any (msg:"Virus - Possible scr Worm"; content: 
> ".scr"; nocase;
> sid:729;  classtype:misc-activity; rev:3;)
> 
> 
> Is it possible to change this rule such that .scr only triggers if
> not followed by other characters? Supposing an extension like .scrm
> cannot carry that virus - which I am not certain of.


I guess simply adding a 'content: "filename=";' would be enough. Take a
look at the other rules in virus.rules and you see how they are
'refined'.

Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020203/4a81ca01/attachment.sig>


More information about the Snort-users mailing list