[Snort-users] Bripia worm

Matt Kettler mkettler at ...4108...
Wed Feb 2 18:11:11 EST 2005


At 08:11 PM 2/2/2005, Cesar Sanabria Pineda wrote:
>Hi, i have a virus spreading through messenger it seems like
>bropia.worm, is there any snort rule to detect this worm?

None that I've seen, but you might be able to hack the MSN messenger 
file-transfer rule from bleeding snort (sid: 2001241) to detect any 
attempts to MSN a .pif file by adding to the end.. "content:".pif"; 
distance:40;"




alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"BLEEDING-EDGE CHAT MSN 
PIF file transfer request"; flow:established; content:"MSG "; depth:4; 
content:"Content-Type|3A|"; distance:0; nocase; 
content:"text/x-msmsgsinvite"; distance:0; nocase; 
content:"Application-Name|3A|"; content:"File Transfer"; distance:0; 
content:".pif"; distance:40; nocase; classtype:policy-violation; 
priority:1; sid:xxxx; rev:1;)

Note: I've mangled the sid above to avoid re-use of the bleeding-edge SID 
for the original rule, please pick a SID in the 1,000,000+ range.

Disclaimer: I've not tested this, as I don't have this worm roaming my 
network. I've also never tested the original rule, this is entirely a 
theory anyway. 





More information about the Snort-users mailing list