[Snort-users] Re: Snort-users] Here are my updated MyDoom/MIMAIL.R and Variant signatures for

SN ORT snort_on_acid at ...131...
Mon Feb 2 06:46:26 EST 2004


Hi Sam,
It appears to me that these rules you've enabled would
set off tons of false alerts. 

Not sure why everyone needs new rules to catch the new
worm, I used the existing "VIRUS OUTBOUND .pif file
attachment" and .scr attachment rules and found a
handful here the day it came out. I mean, who would
legitimately be sending .scr or .pif files? I had zero
false positives/negatives.

Cheese!

Marc

---------------Original Message----------------------
Message: 2
Date: Wed, 28 Jan 2004 15:16:17 -0700 (MST)
From: sam at ...5202...
To: "Martin Jr., D. Michael" <martinm at ...10218...>
Cc: sam at ...5202...,"Joe Stewart"
<jstewart at ...262...>,
    
snort-sigs at lists.sourceforge.net,snort-users at lists.sourceforge.net
Subject: [Snort-users] Here are my updated
MyDoom/MIMAIL.R and Variant signatures for
 Snort

Yes.  I posted an updated set of signatures that match
against the three
different body contents yesterday, I believe.

Please note that I have tested these on our perimeter
IDS and it has
successfully triggered against infected emails coming
in.  I've changed
the destination on these rules to be $EXTERNAL_NET so
that it will trigger
if any infected machines inside a network are sending
outbound.

As always, YMMV with these signatures.

-Sam

Here they are again:

alert tcp any any -> $EXTERNAL_NET 25 (msg: "VIRUS -
MyDoom/MIMAIL.R
Outbound 1"; \
content: "represented in 7-bit ASCII"; \
content: "Content-Type\: application/octet-stream"; \
content: "Content-Transfer-Encoding\: base64"; \
nocase; rev: 4; sid:1000569;)

alert tcp any any -> $EXTERNAL_NET 25 \
(msg: "VIRUS - MyDoom/MIMAIL.R Outbound 2"; content:
"Mail transaction
failed"; \
content: "Content-Type\: application/octet-stream"; \
content: "Content-Transfer-Encoding\: base64"; \
nocase; rev: 4; sid:1000570;)

alert tcp any any -> $EXTERNAL_NET 25 (msg: "VIRUS -
MyDoom/MIMAIL.R
Outbound 3"; \
content: "The message contains Unicode characters"; \
content: "Content-Type\: application/octet-stream"; \
content: "Content-Transfer-Encoding\: base64"; \
nocase; rev: 4; sid:1000571;)


alert tcp any any -> $EXTERNAL_NET 25 (msg: "VIRUS -
MyDoom/MIMAIL.R
Variant Outbound";
 content: "We are sorry your UTF-8 encoding is not
supported by the
server"; nocase; rev: 1; sid:1000572;)
------------------------------------------------------


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/




More information about the Snort-users mailing list