[Snort-users] NetSky worm signature definition...!!!

Semerjian, Ohanes ohanes.semerjian at ...8907...
Thu Feb 19 17:24:01 EST 2004


I agree with what shane mentioned and was hopping a more specific signature
that look into the payload. I mean if the virus is been caught and someone
found out that the payload contains certain sequence of values that identify
this worm. 


Best Regards

Ohanes Semerjian


-----Original Message-----
From: Shane Williams [mailto:shanew at ...5387...]
Sent: Friday, February 20, 2004 10:31 AM
To: Tim Hergert
Cc: Semerjian, Ohanes; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] NetSky worm signature definition...!!!


I would strongly discourage this rule to catch Klez, NetSky or any
virus, for that matter.  Running the string through some archived
mail, I'm seeing lots of false positives, particularly in (legitimate)
word documents.

I'll see what I can do to come up with something that reduces false
positives.

On Thu, 19 Feb 2004, Tim Hergert wrote:

> Having a portion that is a mass mailer, you'll see it come in on port 25
for
> sure . . . 
> 
> Using Matt Kettler's suggestion, I quickly kluged together a rule using
the
> clam av signature
> http://www.clamav.net/
> 
> However, the old Klez detection rule seems to be triggered by NetSky, and
> the log times seem to correlate exactly with the logs from the antivirus
> software on the mail server.
> 
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez
Incoming";
> flow:to_server,established; dsize:>120;content:"MIME";
> content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:3;)
> 
> Seems to work well for me, but maybe I'm just lucky.
> 
> 
> -----Original Message-----
> From: Semerjian, Ohanes [mailto:ohanes.semerjian at ...8907...]
> Sent: February 18, 2004 8:23 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] NetSky worm signature definition...!!!
> 
> 
> Hello all, 
> Just was wondering if any one had this latest worm signature defined or
know
> it works (like which port, protocol it uses )
> Best Regards 
> Ohanes Semerjian 
> 
> 
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

-- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |      System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines |              shanew at ...5387...
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040219/366dc850/attachment.html>


More information about the Snort-users mailing list