Re: Klez sig detects Frethem-Fam

[Shane Williams <shanew () shanew net>]

-----BEGIN PGP SIGNED MESSAGE-----

I've been using the following rule for a couple of months, and I
haven't seen any false positives (I'm also using it as a system-wide
procmail filter and I check for false positives there), but I'm not
familiar with Frethem-Fam, so maybe I just don't realize.

I purposely put in some of the carriage returns so it's less likely to
set off people's filters.  Note also that I want to know if it's
leaving my network as well as coming in.

# Catch Klez in SMTP
alert tcp any any -> any 25 (msg:"Virus - Klez"; 
content:"135AAItEjhyJRI8ci0SOGI
lEjxiLRI4UiUSPFItEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCItE"; sid:10012;
classtype:misc-activity; rev:1;)

If you get either false negatives or positives, please let me know.

On Tue, 16 Jul 2002, Detmar  Liesen wrote:

> Hi again,
> granted, I haven't read my sigs mail thoroughly during the past few days, so
> maybe this has already been discussed.
>
> We are currently detecting lots of "Klez" worms with our snort, which are in
> fact Frethem-Fam worms, so the two seem to be related or derived from each
> other.
> I can tell this from the AV alerts on our mail gateway.
>
> Question:
> Is there any means to distinguish the two from each other?
> I'd rather not look for the "password" W8dqwq8q918213 (see reference
> in-line)  
> since this is likely to change. 
> Has anybody created a sig for Frethem already?
>
> Maybe it's no good to create additional signatures for each derived worm,
> because this
> has negative impact on snort performance. Snort is no AV tool anyway.
>
> What do you recommend regarding worm/virus detection in snort?
> Is this something we should leave to the AV software solely?
>
> TIA,
> Detmar
>
> Additional Info:
> http://www.sophos.com/virusinfo/analyses/w32frethemfam.html

- -- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |                               
=----------------------------------+-------------------------------
All syllogisms contain three lines |              shanew () shanew net
Therefore this is not a syllogism  |   www.gslis.utexas.edu/~shanew

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBPTQkL2a83yV7vGjZAQHVUAP+KL++R4Z1Fa9zzS7dJAjU8pYHr0JVN2dt
LSHoMaVoJJuKtUC+lfEm7heU71tjiw6IUzTPA0pWqVusJAVJGJEyOm/8at/hZoS+
OQPzst+MQQsVQa1qmOIO5m9wo4548WX9d4UOn0190QaNsBtkQ+QfWXL0mjOvflUT
p3V+qkto7vg=
=2Act
-----END PGP SIGNATURE-----



-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users