Snort mailing list archives

RE: Rule for Sobig

From: "D@7@K|N&" <dataking () cox net>
Date: Fri, 29 Aug 2003 08:53:51 -0700

You may want to pair this rule with one built on port 8998.  This is the
port the worm listens on after a system has been compromised.

For example...

alert tcp any any -> any 25 (msg:"Probable Sobig.F Backdoor";\content:" - <
NOT QUITE SURE WHAT SHOULD GO HERE> - ";\sid:9000020;
classtype:misc-activity; rev:1;)

-= tH3 D@7@K|N& =-

-----Original Message-----
From: Shane Williams [mailto:shanew () shanew net]
Sent: Friday, August 29, 2003 8:39 AM
To: Timm Schneider
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Rule for Sobig

On Fri, 29 Aug 2003, Timm Schneider wrote:

i got an Mailserver(official) behind my Iptables+Snort FW.

I would like to filter the Sobig Worm on my Snort.
How should i do that?
Where i can find any rule for that?
I become in an hour about 50 Mails with sobig on my
Mailserver.


In general, looking at the snort-sigs mailing list archive is a good
way to see if anyone has already come up with something.  I sent the
following to that list back on the 19th and I haven't heard anyone
remark on false positives or negatives since then.

alert tcp any any -> any 25 (msg:"Probable Sobig.F in SMTP";\
content:"VDvdKcYWznRbLRPadQ+V576YUs6FwBGG\
rYnr7cqYlLI9/9zwrfe9T0tMbFTdX2GmQfo7TrcECi9A";\
sid:9000019; classtype:misc-activity; rev:1;)

If you find any false positives or negatives using this rule, please
let me know.

--
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |      System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines |              shanew () shanew net
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Rule for Sobig Timm Schneider (Aug 29)
- Re: Rule for Sobig Shane Williams (Aug 29)
  - RE: Rule for Sobig D@7@K|N& (Aug 29)
- Re: Rule for Sobig Erek Adams (Aug 29)