Re: scr Worm - false alarms

[Frank Knobbe <fknobbe () knobbeits com>]

On Sun, 2002-01-27 at 22:50, Wolfgang Rohdewald wrote:
> this string results in a warning:
>
> 65 69 76 65 64 3A 20 66 72 6F 6D 20 61 64 73 6C  eived: from adsl
> 2D 36 34 2D 31 36 34 2D 33 36 2D 35 37 2E 64 73  -64-164-36-57.ds
> 6C 2E 73 63 72 6D 30 31 2E 70 61 63 62 65 6C 6C  l.scrm01.pacbell
> 2E 6E 65 74 20 28 48 45 4C 4F 20 64 73 6C 2E 6C  .net (HELO dsl.l
> 6F 63 61 6C 29 20 28 72 6F 6F 74 40 36 34 2E 31  ocal) (root@64.1
>
> caused by this rule:
>
> alert tcp any 110 -> any any (msg:"Virus - Possible scr Worm"; content: 
> ".scr"; nocase;
> sid:729;  classtype:misc-activity; rev:3;)
>
>
> Is it possible to change this rule such that .scr only triggers if
> not followed by other characters? Supposing an extension like .scrm
> cannot carry that virus - which I am not certain of.


I guess simply adding a 'content: "filename=";' would be enough. Take a
look at the other rules in virus.rules and you see how they are
'refined'.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part