Snort mailing list archives
RE: NetSky worm signature definition...!!!
From: Shane Williams <shanew () shanew net>
Date: Thu, 19 Feb 2004 17:31:28 -0600 (CST)
I would strongly discourage this rule to catch Klez, NetSky or any virus, for that matter. Running the string through some archived mail, I'm seeing lots of false positives, particularly in (legitimate) word documents. I'll see what I can do to come up with something that reduces false positives. On Thu, 19 Feb 2004, Tim Hergert wrote:
Having a portion that is a mass mailer, you'll see it come in on port 25 for sure . . . Using Matt Kettler's suggestion, I quickly kluged together a rule using the clam av signature http://www.clamav.net/ However, the old Klez detection rule seems to be triggered by NetSky, and the log times seem to correlate exactly with the logs from the antivirus software on the mail server. alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Incoming"; flow:to_server,established; dsize:>120;content:"MIME"; content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:3;) Seems to work well for me, but maybe I'm just lucky. -----Original Message----- From: Semerjian, Ohanes [mailto:ohanes.semerjian () au mci com] Sent: February 18, 2004 8:23 PM To: snort-users () lists sourceforge net Subject: [Snort-users] NetSky worm signature definition...!!! Hello all, Just was wondering if any one had this latest worm signature defined or know it works (like which port, protocol it uses ) Best Regards Ohanes Semerjian ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Public key #7BBC68D9 at | Shane Williams http://pgp.mit.edu/ | System Admin - UT iSchool =----------------------------------+------------------------------- All syllogisms contain three lines | shanew () shanew net Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- NetSky worm signature definition...!!! Semerjian, Ohanes (Feb 18)
- <Possible follow-ups>
- RE: NetSky worm signature definition...!!! Tim Hergert (Feb 19)
- RE: NetSky worm signature definition...!!! Shane Williams (Feb 19)
- Performance Question Martin Bündgens (Feb 19)
- Re: Performance Question twig les (Feb 19)
- RE: NetSky worm signature definition...!!! Semerjian, Ohanes (Feb 19)