Re: New snort rule for WORM_NETSKY.B yet PLEASE???

[Matt Kettler <mkettler () evi-inc com>]

At 10:15 AM 2/18/2004, Snortty wrote:
> This one seems to be getting ready, or already spread
> like the last time, any rule to apply to detect it yet?

Hardly urgent, as nobody should be using snort as a first-line-of-defense 
against mail worms.. That's what putting a virus scanner on your mailserver 
is for.

However, it would be handy to have a signature for this things file-share 
spread.

Details on the worm can be found here
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101034

The clamAV signature for this thing is:
Worm.SomeFool 
(Clam)=ce366483cb540740032ca8bf6c9a2004f082736f6d6574682bd446edb36973d
a6ff213b154df0b676f087719678ffd46fdef796f75fd65206261640b747279fa61df5517737465616c1
f6665656cb0466da59e24739b13decaed5b1e726e206d4465791a6174


Which is a rather long signature to be looking for in packets via snort, 
but it's a start. (note that clamav signatures are just virusname=(hex 
signature))

Note: the above signature is extracted from clamav daily.cvd version 134, 
and thus is likely Copyrighted with GPL licensing like the rest of clamav.
        You can obtain all of clamav, and it's source code from: 
http://www.clamav.net/



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users