[Snort-users] Re: bugbear signature?

Shane Williams shanew at ...5387...
Wed Oct 2 16:24:32 EDT 2002


-----BEGIN PGP SIGNED MESSAGE-----

I've spent some time today looking into this and here's the rule I've
come up with to find it in SMTP traffic.  Someone feel free to
optimize it if necessary (I try not to use some of the new rule
features to maintain some backward compatability).

alert tcp any any -> any 25 (msg:"Bugbear at ...7059... virus in SMTP"; content:"uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/xWcEQmDxCTD"; sid:900001; classtype:misc-activity; rev:1;)

I've tested it against my log of traffic since Oct. 1 and found 8
unique hits.  I then ran a virus scanner over the decoded attachments
to each flagged message and got 8 for 8 on bugbear hits.  In that same
time frame, I know there are other similar viruses (Yaga and generic
Exploit-MIME), and none of them set off the bugbear rule above.

Of course, none of that guarantees that this rule won't create false
positives or false negatives, so if you get any, please let me know.

On Wed, 2 Oct 2002 lcweinmunson at ...7060... wrote:

> Does anyone have a working sig for the bugbear/tanatos virus yet?  We've 
> had one infection so far, but it was cleaned before I got a chance to 
> sniff it's network traffic.
> 
> 
> 
> --
> Les Weinmunson

- -- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                | Systems Administrator UT-GSLIS
=----------------------------------+-------------------------------
All syllogisms contain three lines |        shanew at ...6911...
Therefore this is not a syllogism  |   www.gslis.utexas.edu/~shanew


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBPZt/mGa83yV7vGjZAQGWaAP/QtVg84bvWkEUHFNHP9fiYlMQBLZN7EvL
o7CGRBQ9dGTw5AiSo9P5d1ipwEokzJhI2ohTADKkMfzcwej9IuFtpqqxND0pVswy
59hiGH5J9qVaVWs74bO5IuMyo5P0FwcHOtfmx0qSl0m3mC8AIz9FPtw/jUx+RUvQ
A9eeOHfN/Ko=
=JV9S
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list