[Snort-users] Klez Incoming

Sean T. Ballard stballard at ...4587...
Thu Nov 14 06:32:06 EST 2002


LOL just these e-mails are setting off false positives for me.

-----Original Message-----
From: Shane Williams [mailto:shanew at ...5387...]
Sent: Thursday, November 14, 2002 9:19 AM
To: Jacob Redding
Cc: snort-users at lists.sourceforge.net; snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-users] Klez Incoming


-----BEGIN PGP SIGNED MESSAGE-----

I've been using the following rule for about 9 months now and I
haven't seen any false positives (I'm also using it as a system-wide
procmail filter and I check for false positives there), nor has anyone
reported a false positive with this sig.

I purposely put in some of the carriage returns so it's less likely to
set off people's filters.  Note also that I want to know if it's
leaving my network as well as coming in.

# Catch Klez in SMTP
alert tcp any any -> any 25 (msg:"Virus - Klez"; 
content:"135AAItEjhyJRI8ci0SOGI
lEjxiLRI4UiUSPFItEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCItE"; sid:10012;
classtype:misc-activity; rev:1;)

If you get either false negatives or positives, please let me know.

For the snort-sig people.  Could someone replace the one Jacob points
out below with the one above, or tell me how I can do it.  Looking
over the list archives there are repeated complaints about false
positives with the one below.

On Wed, 13 Nov 2002, Jacob Redding wrote:

> Shane,
>    The rule is found in virus.rules
> 
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Incoming";
> flow:to_server,established; dsize:>120; content:"MIME";
> content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:2;)
> 
>    Below is a copy-paste job from acid minus names and word content to
> protect the innocent ;) 4th row contains the offending code.
> 
>    We use sybari Antigen for exchange. it did not report this particular
> message as infected, our virus defs are up to date and it has reported
> others.
> <snip..snip>
> Content-Type: audio/x-midi;...name=Address Book.pfc.scr..
> Content-Transfer-Encoding: base64..Content-ID:
> <ML572Y3j6iy3X>....TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..AAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9
> ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v..ZGUuDQ0KJAAAAAAAAABxd
> Tv8NRRVrzUUVa81FFWvTghZrzEUVa+2CFuvNxRVr90LX68gFFWv3QtR..rzcUVa9
> XC0avPhRVrzUUVK+OFFWv3QterzoUVa+NElOvNBRVr1JpY2g1FFWvAAAAAAAAAFV
> QRQA
> <snip>
> 
> 
> > We average about 30-40 per day with around 1000 accounts.
> >
> > Just to make sure, which rule are you using?  If you've got a copy of a
> > email that snort caught and your AV didn't, I'd be interested in seeing
> > a copy.
> >
> > On Wed, 13 Nov 2002, Jacob Redding wrote:
> >
> >>   Everyday I am receiving about 2-3 "VIRUS Klez Incoming" alerts from
> >> snort, but our virus protection program is not picking it up. I
> >> believe this is a false positive as our virus defs are up to date.
> >> Before I rule this as a false positive or start digging through
> >> peoples mailboxes (privacy policy, blah blah), has any else had this
> >> experience??
> >
> > --
> > Public key #7BBC68D9 at            |                 Shane Williams
> > http://pgp.mit.edu/                | Systems Administrator UT-GSLIS
> > =----------------------------------+------------------------------- All
> > syllogisms contain three lines |        shanew at ...6911...
> > Therefore this is not a syllogism  |   www.gslis.utexas.edu/~shanew
> 
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Are you worried about 
> your web server security? Click here for a FREE Thawte 
> Apache SSL Guide and answer your Apache SSL security 
> needs: http://www.gothawte.com/rd523.html
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

- -- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                | Systems Administrator UT-GSLIS
=----------------------------------+-------------------------------
All syllogisms contain three lines |        shanew at ...6911...
Therefore this is not a syllogism  |   www.gslis.utexas.edu/~shanew



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBPdOwzma83yV7vGjZAQHTcwP/dDfjRrbkZv1O44kbQQCh0bwCl9p054ko
ylsa2sfUucz0HByym6NzfiwogNOmxw7uMnCgaB9ksQ2QnKa2ZB+xFZYiKk6g0tOi
Sf9yXQ+jbxlOG40rcVosk7mBExN+ylY/vhsr2Ar890aAQPYanNwKWUAWfmtE7TyU
a8ED4zlULhY=
=9o6e
-----END PGP SIGNATURE-----



-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing 
your web site with SSL, click here to get a FREE TRIAL of a Thawte 
Server Certificate: http://www.gothawte.com/rd524.html
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list