Snort mailing list archives
Re: New snort rule for WORM_NETSKY.B yet PLEASE???
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 18 Feb 2004 12:24:31 -0500
At 10:15 AM 2/18/2004, Snortty wrote:
This one seems to be getting ready, or already spread like the last time, any rule to apply to detect it yet?
Hardly urgent, as nobody should be using snort as a first-line-of-defense against mail worms.. That's what putting a virus scanner on your mailserver is for.
However, it would be handy to have a signature for this things file-share spread.
Details on the worm can be found here http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101034 The clamAV signature for this thing is:Worm.SomeFool (Clam)=ce366483cb540740032ca8bf6c9a2004f082736f6d6574682bd446edb36973d
a6ff213b154df0b676f087719678ffd46fdef796f75fd65206261640b747279fa61df5517737465616c1 f6665656cb0466da59e24739b13decaed5b1e726e206d4465791a6174Which is a rather long signature to be looking for in packets via snort, but it's a start. (note that clamav signatures are just virusname=(hex signature))
Note: the above signature is extracted from clamav daily.cvd version 134, and thus is likely Copyrighted with GPL licensing like the rest of clamav. You can obtain all of clamav, and it's source code from: http://www.clamav.net/
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Reserved characters in msg:"..."? John Sage (Feb 16)
- Re: Reserved characters in msg:"..."? Martin Roesch (Feb 17)
- New snort rule for WORM_NETSKY.B yet PLEASE??? Snortty (Feb 18)
- Re: New snort rule for WORM_NETSKY.B yet PLEASE??? Matt Kettler (Feb 18)
- New snort rule for WORM_NETSKY.B yet PLEASE??? Snortty (Feb 18)
- <Possible follow-ups>
- RE: Reserved characters in msg:"..."? CGhercoias (Feb 16)
- Re: Reserved characters in msg:"..."? Martin Roesch (Feb 17)