Snort mailing list archives
RE: Rule for Sobig
From: "D@7@K|N&" <dataking () cox net>
Date: Fri, 29 Aug 2003 08:53:51 -0700
You may want to pair this rule with one built on port 8998. This is the port the worm listens on after a system has been compromised. For example... alert tcp any any -> any 25 (msg:"Probable Sobig.F Backdoor";\content:" - < NOT QUITE SURE WHAT SHOULD GO HERE> - ";\sid:9000020; classtype:misc-activity; rev:1;) -= tH3 D@7@K|N& =-
-----Original Message----- From: Shane Williams [mailto:shanew () shanew net] Sent: Friday, August 29, 2003 8:39 AM To: Timm Schneider Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Rule for Sobig On Fri, 29 Aug 2003, Timm Schneider wrote:i got an Mailserver(official) behind my Iptables+Snort FW. I would like to filter the Sobig Worm on my Snort. How should i do that? Where i can find any rule for that? I become in an hour about 50 Mails with sobig on my Mailserver.In general, looking at the snort-sigs mailing list archive is a good way to see if anyone has already come up with something. I sent the following to that list back on the 19th and I haven't heard anyone remark on false positives or negatives since then. alert tcp any any -> any 25 (msg:"Probable Sobig.F in SMTP";\ content:"VDvdKcYWznRbLRPadQ+V576YUs6FwBGG\ rYnr7cqYlLI9/9zwrfe9T0tMbFTdX2GmQfo7TrcECi9A";\ sid:9000019; classtype:misc-activity; rev:1;) If you find any false positives or negatives using this rule, please let me know. -- Public key #7BBC68D9 at | Shane Williams http://pgp.mit.edu/ | System Admin - UT iSchool =----------------------------------+------------------------------- All syllogisms contain three lines | shanew () shanew net Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule for Sobig Timm Schneider (Aug 29)
- Re: Rule for Sobig Shane Williams (Aug 29)
- RE: Rule for Sobig D@7@K|N& (Aug 29)
- Re: Rule for Sobig Erek Adams (Aug 29)
- Re: Rule for Sobig Shane Williams (Aug 29)