[Snort-users] Re: bugbear signature?

Shane Williams shanew at ...5387...
Wed Oct 2 16:24:32 EDT 2002


I've spent some time today looking into this and here's the rule I've
come up with to find it in SMTP traffic.  Someone feel free to
optimize it if necessary (I try not to use some of the new rule
features to maintain some backward compatability).

alert tcp any any -> any 25 (msg:"Bugbear at ...7059... virus in SMTP"; content:"uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/xWcEQmDxCTD"; sid:900001; classtype:misc-activity; rev:1;)

I've tested it against my log of traffic since Oct. 1 and found 8
unique hits.  I then ran a virus scanner over the decoded attachments
to each flagged message and got 8 for 8 on bugbear hits.  In that same
time frame, I know there are other similar viruses (Yaga and generic
Exploit-MIME), and none of them set off the bugbear rule above.

Of course, none of that guarantees that this rule won't create false
positives or false negatives, so if you get any, please let me know.

On Wed, 2 Oct 2002 lcweinmunson at ...7060... wrote:

> Does anyone have a working sig for the bugbear/tanatos virus yet?  We've 
> had one infection so far, but it was cleaned before I got a chance to 
> sniff it's network traffic.
> --
> Les Weinmunson

- -- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                | Systems Administrator UT-GSLIS
All syllogisms contain three lines |        shanew at ...6911...
Therefore this is not a syllogism  |   www.gslis.utexas.edu/~shanew

Version: 2.6.2


More information about the Snort-users mailing list