Snort mailing list archives
RE: Snort-users] Here are my updated MyDoom/MIMAIL.R and Variant signatures for
From: "Sam Evans" <sam () neuroflux com>
Date: Thu, 29 Jan 2004 10:44:32 -0700
How could the .pif signature successfully see a MyDoom virus? The attached file is encapsulated within a .zip. Snort wouldn't be able to see those. The only thing snort can see is the fact that there is an attachment called message.zip, or something.zip .. For what it's worth, these signatures have not set off any sort of false positives on our 20K workstation environment, and has successfully detected the MyDoom / variant viruses.. I'm not sure how these would set tons of false positives, to be honest with you. If you look at the content that the rule matches against, how many messages come across saying "Mail Transaction ...", or "represents 7-bit ascii" and then have content encoded files attached? I don't think I've ever seen one. But, like I said your mileage may vary with the signatures. I was merely contributing to the community. -Sam -----Original Message----- From: SN ORT [mailto:snort_on_acid () yahoo com] Sent: Thursday, January 29, 2004 10:22 AM To: Snort Users Cc: sam () neuroflux com; martinm () montevallo edu Subject: Re: Snort-users] Here are my updated MyDoom/MIMAIL.R and Variant signatures for Hi Sam, It appears to me that these rules you've enabled would set off tons of false alerts. Not sure why everyone needs new rules to catch the new worm, I used the existing "VIRUS OUTBOUND .pif file attachment" and .scr attachment rules and found a handful here the day it came out. I mean, who would legitimately be sending .scr or .pif files? I had zero false positives/negatives. Cheese! Marc ---------------Original Message---------------------- Message: 2 Date: Wed, 28 Jan 2004 15:16:17 -0700 (MST) From: sam () neuroflux com To: "Martin Jr., D. Michael" <martinm () montevallo edu> Cc: sam () neuroflux com,"Joe Stewart" <jstewart () lurhq com>, snort-sigs () lists sourceforge net,snort-users () lists sourceforge net Subject: [Snort-users] Here are my updated MyDoom/MIMAIL.R and Variant signatures for Snort Yes. I posted an updated set of signatures that match against the three different body contents yesterday, I believe. Please note that I have tested these on our perimeter IDS and it has successfully triggered against infected emails coming in. I've changed the destination on these rules to be $EXTERNAL_NET so that it will trigger if any infected machines inside a network are sending outbound. As always, YMMV with these signatures. -Sam Here they are again: alert tcp any any -> $EXTERNAL_NET 25 (msg: "VIRUS - MyDoom/MIMAIL.R Outbound 1"; \ content: "represented in 7-bit ASCII"; \ content: "Content-Type\: application/octet-stream"; \ content: "Content-Transfer-Encoding\: base64"; \ nocase; rev: 4; sid:1000569;) alert tcp any any -> $EXTERNAL_NET 25 \ (msg: "VIRUS - MyDoom/MIMAIL.R Outbound 2"; content: "Mail transaction failed"; \ content: "Content-Type\: application/octet-stream"; \ content: "Content-Transfer-Encoding\: base64"; \ nocase; rev: 4; sid:1000570;) alert tcp any any -> $EXTERNAL_NET 25 (msg: "VIRUS - MyDoom/MIMAIL.R Outbound 3"; \ content: "The message contains Unicode characters"; \ content: "Content-Type\: application/octet-stream"; \ content: "Content-Transfer-Encoding\: base64"; \ nocase; rev: 4; sid:1000571;) alert tcp any any -> $EXTERNAL_NET 25 (msg: "VIRUS - MyDoom/MIMAIL.R Variant Outbound"; content: "We are sorry your UTF-8 encoding is not supported by the server"; nocase; rev: 1; sid:1000572;) ------------------------------------------------------ __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/ ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users] Here are my updated MyDoom/MIMAIL.R and Variant signatures for SN ORT (Feb 02)
- RE: Snort-users] Here are my updated MyDoom/MIMAIL.R and Variant signatures for Sam Evans (Jan 31)