Snort mailing list archives
Re: Klez sig detects Frethem-Fam
From: Shane Williams <shanew () shanew net>
Date: Tue, 16 Jul 2002 08:48:27 -0500 (CDT)
-----BEGIN PGP SIGNED MESSAGE----- I've been using the following rule for a couple of months, and I haven't seen any false positives (I'm also using it as a system-wide procmail filter and I check for false positives there), but I'm not familiar with Frethem-Fam, so maybe I just don't realize. I purposely put in some of the carriage returns so it's less likely to set off people's filters. Note also that I want to know if it's leaving my network as well as coming in. # Catch Klez in SMTP alert tcp any any -> any 25 (msg:"Virus - Klez"; content:"135AAItEjhyJRI8ci0SOGI lEjxiLRI4UiUSPFItEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCItE"; sid:10012; classtype:misc-activity; rev:1;) If you get either false negatives or positives, please let me know. On Tue, 16 Jul 2002, Detmar Liesen wrote:
Hi again, granted, I haven't read my sigs mail thoroughly during the past few days, so maybe this has already been discussed. We are currently detecting lots of "Klez" worms with our snort, which are in fact Frethem-Fam worms, so the two seem to be related or derived from each other. I can tell this from the AV alerts on our mail gateway. Question: Is there any means to distinguish the two from each other? I'd rather not look for the "password" W8dqwq8q918213 (see reference in-line) since this is likely to change. Has anybody created a sig for Frethem already? Maybe it's no good to create additional signatures for each derived worm, because this has negative impact on snort performance. Snort is no AV tool anyway. What do you recommend regarding worm/virus detection in snort? Is this something we should leave to the AV software solely? TIA, Detmar Additional Info: http://www.sophos.com/virusinfo/analyses/w32frethemfam.html
- -- Public key #7BBC68D9 at | Shane Williams http://pgp.mit.edu/ | =----------------------------------+------------------------------- All syllogisms contain three lines | shanew () shanew net Therefore this is not a syllogism | www.gslis.utexas.edu/~shanew -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBPTQkL2a83yV7vGjZAQHVUAP+KL++R4Z1Fa9zzS7dJAjU8pYHr0JVN2dt LSHoMaVoJJuKtUC+lfEm7heU71tjiw6IUzTPA0pWqVusJAVJGJEyOm/8at/hZoS+ OQPzst+MQQsVQa1qmOIO5m9wo4548WX9d4UOn0190QaNsBtkQ+QfWXL0mjOvflUT p3V+qkto7vg= =2Act -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Klez sig detects Frethem-Fam Detmar Liesen (Jul 16)
- Re: Klez sig detects Frethem-Fam Shane Williams (Jul 16)
- Re: Klez - Detect MIME- and IFRAME exploit Kistler Ueli (Jul 16)
- Re: Klez sig detects Frethem-Fam Shane Williams (Jul 16)