[Snort-users] Fizzer Worm Signature

Michael Bell michael.bell at ...9156...
Tue May 13 03:06:12 EDT 2003


Ty Bodell wrote:
> Hello community i was wondering (might be too early) but if anyone
> has a signature for the new Fizzer P2P worm or not?? Let me know please.

Nobody answers so I do a first try. I get an additional warning from 
some CERTs but nobody send snort signatures so I checked f-secures homepage

http://www.f-secure.com/v-descs/fizzer.shtml

If I understand the description right then the following rule should 
detect the worm:

alert tcp any any -> any any (msg:"Virus - Fizzer"; content:"Sparky will 
reign"; sid:999; classtype:misc-activity; rev:1;)

any any -> any any is problematical but my sparc has no problems with 
it. The other question is what Kazaa uses for transport. I think it's 
udp. So I'm scanning udp too.

alert udp any any -> any any (msg:"Virus - Fizzer"; content:"Sparky will 
reign"; sid:999;  classtype:misc-activity; rev:1;)

This is perhaps not the best way to scan for this virus but it works for 
my machine. We have no reports about infections with this worm and we 
detect no such worms in our network. So I'm not sure about the 
correctness of the rule.

An optimization could be the usage of mailserver ports for tcp but all 
snort rules in virus.rules only check pop3 and ignoring pop2, imap2 and 
imap3. This is the reason why the default ruleset for viruses don't work 
for us (we are only using imap).

Best regards

Michael
-- 
-------------------------------------------------------------------
Michael Bell                   Email: michael.bell at ...9156...
ZE Computer- und Medienservice            Tel.: +49 (0)30-2093 2482
(Computing Centre)                        Fax:  +49 (0)30-2093 2704
Humboldt-University of Berlin
Unter den Linden 6
10099 Berlin                   Email (private): michael.bell at ...5689...
Germany                                       http://www.openca.org





More information about the Snort-users mailing list