RE: NetSky worm signature definition...!!!

[Shane Williams <shanew () shanew net>]

I would strongly discourage this rule to catch Klez, NetSky or any
virus, for that matter.  Running the string through some archived
mail, I'm seeing lots of false positives, particularly in (legitimate)
word documents.

I'll see what I can do to come up with something that reduces false
positives.

On Thu, 19 Feb 2004, Tim Hergert wrote:

> Having a portion that is a mass mailer, you'll see it come in on port 25 for
> sure . . . 
>
> Using Matt Kettler's suggestion, I quickly kluged together a rule using the
> clam av signature
> http://www.clamav.net/
>
> However, the old Klez detection rule seems to be triggered by NetSky, and
> the log times seem to correlate exactly with the logs from the antivirus
> software on the mail server.
>
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Incoming";
> flow:to_server,established; dsize:>120;content:"MIME";
> content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:3;)
>
> Seems to work well for me, but maybe I'm just lucky.
>
>
> -----Original Message-----
> From: Semerjian, Ohanes [mailto:ohanes.semerjian () au mci com]
> Sent: February 18, 2004 8:23 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] NetSky worm signature definition...!!!
>
>
> Hello all, 
> Just was wondering if any one had this latest worm signature defined or know
> it works (like which port, protocol it uses )
> Best Regards 
> Ohanes Semerjian 
>
>
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |      System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines |              shanew () shanew net
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users