Re: Klez false positive

[Shane Williams <shanew () shanew net>]

On Thu, 11 Jul 2002, Claudiu wrote:

> Hi all,
> I have active the last rule set from snort site and I am receiving a
> lot of Klez alerts which are false positive. The string
> "VGhpcyBwcm9" which Klez rule is looking for is found, for example,
> in shokwaveinstaler.exe as well. Does anyone has a better rule?
> Thanks.

I've been using the following rule for a couple of months, and I
haven't seen any false positives (I'm also using it as a system-wide
procmail filter and I check for false positives there).

I purposely put in some of the carriage returns so it's less likely to
set off people's filters.  Note also that I want to know if it's
leaving my network as well as coming in.

# Catch Klez in SMTP
alert tcp any any -> any 25 (msg:"Virus - Klez"; 
content:"135AAItEjhyJRI8ci0SOGI
lEjxiLRI4UiUSPFItEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCItE"; sid:10012;
classtype:misc-activity; rev:1;)

-- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |                               
=----------------------------------+-------------------------------
All syllogisms contain three lines |              shanew () shanew net
Therefore this is not a syllogism  |   www.gslis.utexas.edu/~shanew



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
PC Mods, Computing goodies, cases & more
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users