Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: bugbear signature?

From: Shane Williams <shanew () shanew net>
Date: Wed, 2 Oct 2002 18:21:53 -0500 (CDT)
-----BEGIN PGP SIGNED MESSAGE-----

I've spent some time today looking into this and here's the rule I've
come up with to find it in SMTP traffic.  Someone feel free to
optimize it if necessary (I try not to use some of the new rule
features to maintain some backward compatability).

alert tcp any any -> any 25 (msg:"Bugbear@MM virus in SMTP"; 
content:"uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/xWcEQmDxCTD"; sid:900001; 
classtype:misc-activity; rev:1;)

I've tested it against my log of traffic since Oct. 1 and found 8
unique hits.  I then ran a virus scanner over the decoded attachments
to each flagged message and got 8 for 8 on bugbear hits.  In that same
time frame, I know there are other similar viruses (Yaga and generic
Exploit-MIME), and none of them set off the bugbear rule above.

Of course, none of that guarantees that this rule won't create false
positives or false negatives, so if you get any, please let me know.

On Wed, 2 Oct 2002 lcweinmunson () aep com wrote:


Does anyone have a working sig for the bugbear/tanatos virus yet?  We've 
had one infection so far, but it was cleaned before I got a chance to 
sniff it's network traffic.



--
Les Weinmunson


- -- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                | Systems Administrator UT-GSLIS
=----------------------------------+-------------------------------
All syllogisms contain three lines |        shanew () gslis utexas edu
Therefore this is not a syllogism  |   www.gslis.utexas.edu/~shanew


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBPZt/mGa83yV7vGjZAQGWaAP/QtVg84bvWkEUHFNHP9fiYlMQBLZN7EvL
o7CGRBQ9dGTw5AiSo9P5d1ipwEokzJhI2ohTADKkMfzcwej9IuFtpqqxND0pVswy
59hiGH5J9qVaVWs74bO5IuMyo5P0FwcHOtfmx0qSl0m3mC8AIz9FPtw/jUx+RUvQ
A9eeOHfN/Ko=
=JV9S
-----END PGP SIGNATURE-----



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: