[Snort-users] Bripia worm
mkettler at ...4108...
Wed Feb 2 18:11:11 EST 2005
At 08:11 PM 2/2/2005, Cesar Sanabria Pineda wrote:
>Hi, i have a virus spreading through messenger it seems like
>bropia.worm, is there any snort rule to detect this worm?
None that I've seen, but you might be able to hack the MSN messenger
file-transfer rule from bleeding snort (sid: 2001241) to detect any
attempts to MSN a .pif file by adding to the end.. "content:".pif";
alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"BLEEDING-EDGE CHAT MSN
PIF file transfer request"; flow:established; content:"MSG "; depth:4;
content:"Content-Type|3A|"; distance:0; nocase;
content:"text/x-msmsgsinvite"; distance:0; nocase;
content:"Application-Name|3A|"; content:"File Transfer"; distance:0;
content:".pif"; distance:40; nocase; classtype:policy-violation;
priority:1; sid:xxxx; rev:1;)
Note: I've mangled the sid above to avoid re-use of the bleeding-edge SID
for the original rule, please pick a SID in the 1,000,000+ range.
Disclaimer: I've not tested this, as I don't have this worm roaming my
network. I've also never tested the original rule, this is entirely a
More information about the Snort-users