Snort mailing list archives
Re: bugbear signature?
From: Shane Williams <shanew () shanew net>
Date: Wed, 2 Oct 2002 18:21:53 -0500 (CDT)
-----BEGIN PGP SIGNED MESSAGE----- I've spent some time today looking into this and here's the rule I've come up with to find it in SMTP traffic. Someone feel free to optimize it if necessary (I try not to use some of the new rule features to maintain some backward compatability). alert tcp any any -> any 25 (msg:"Bugbear@MM virus in SMTP"; content:"uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/xWcEQmDxCTD"; sid:900001; classtype:misc-activity; rev:1;) I've tested it against my log of traffic since Oct. 1 and found 8 unique hits. I then ran a virus scanner over the decoded attachments to each flagged message and got 8 for 8 on bugbear hits. In that same time frame, I know there are other similar viruses (Yaga and generic Exploit-MIME), and none of them set off the bugbear rule above. Of course, none of that guarantees that this rule won't create false positives or false negatives, so if you get any, please let me know. On Wed, 2 Oct 2002 lcweinmunson () aep com wrote:
Does anyone have a working sig for the bugbear/tanatos virus yet? We've had one infection so far, but it was cleaned before I got a chance to sniff it's network traffic. -- Les Weinmunson
- -- Public key #7BBC68D9 at | Shane Williams http://pgp.mit.edu/ | Systems Administrator UT-GSLIS =----------------------------------+------------------------------- All syllogisms contain three lines | shanew () gslis utexas edu Therefore this is not a syllogism | www.gslis.utexas.edu/~shanew -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBPZt/mGa83yV7vGjZAQGWaAP/QtVg84bvWkEUHFNHP9fiYlMQBLZN7EvL o7CGRBQ9dGTw5AiSo9P5d1ipwEokzJhI2ohTADKkMfzcwej9IuFtpqqxND0pVswy 59hiGH5J9qVaVWs74bO5IuMyo5P0FwcHOtfmx0qSl0m3mC8AIz9FPtw/jUx+RUvQ A9eeOHfN/Ko= =JV9S -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: bugbear signature? Shane Williams (Oct 02)