Snort mailing list archives

RE: Snort-users] Here are my updated MyDoom/MIMAIL.R and Variant signatures for

From: "Sam Evans" <sam () neuroflux com>
Date: Thu, 29 Jan 2004 10:44:32 -0700
How could the .pif signature successfully see a MyDoom virus?  The attached
file is encapsulated within a .zip.  Snort wouldn't be able to see those.
The only thing snort can see is the fact that there is an attachment called
message.zip, or something.zip ..

For what it's worth, these signatures have not set off any sort of false
positives on our 20K workstation environment, and has successfully detected
the MyDoom / variant viruses..


I'm not sure how these would set tons of false positives, to be honest with
you.  If you look at the content that the rule matches against, how many
messages come across saying "Mail Transaction ...", or "represents 7-bit
ascii" and then have content encoded files attached?  I don't think I've
ever seen one.

But, like I said your mileage may vary with the signatures.  I was merely
contributing to the community.

-Sam

-----Original Message-----
From: SN ORT [mailto:snort_on_acid () yahoo com] 
Sent: Thursday, January 29, 2004 10:22 AM
To: Snort Users
Cc: sam () neuroflux com; martinm () montevallo edu
Subject: Re: Snort-users] Here are my updated MyDoom/MIMAIL.R and Variant
signatures for

Hi Sam,
It appears to me that these rules you've enabled would
set off tons of false alerts. 

Not sure why everyone needs new rules to catch the new
worm, I used the existing "VIRUS OUTBOUND .pif file
attachment" and .scr attachment rules and found a
handful here the day it came out. I mean, who would
legitimately be sending .scr or .pif files? I had zero
false positives/negatives.

Cheese!

Marc

---------------Original Message----------------------
Message: 2
Date: Wed, 28 Jan 2004 15:16:17 -0700 (MST)
From: sam () neuroflux com
To: "Martin Jr., D. Michael" <martinm () montevallo edu>
Cc: sam () neuroflux com,"Joe Stewart"
<jstewart () lurhq com>,
    
snort-sigs () lists sourceforge net,snort-users () lists sourceforge net
Subject: [Snort-users] Here are my updated
MyDoom/MIMAIL.R and Variant signatures for
 Snort

Yes.  I posted an updated set of signatures that match
against the three
different body contents yesterday, I believe.

Please note that I have tested these on our perimeter
IDS and it has
successfully triggered against infected emails coming
in.  I've changed
the destination on these rules to be $EXTERNAL_NET so
that it will trigger
if any infected machines inside a network are sending
outbound.

As always, YMMV with these signatures.

-Sam

Here they are again:

alert tcp any any -> $EXTERNAL_NET 25 (msg: "VIRUS -
MyDoom/MIMAIL.R
Outbound 1"; \
content: "represented in 7-bit ASCII"; \
content: "Content-Type\: application/octet-stream"; \
content: "Content-Transfer-Encoding\: base64"; \
nocase; rev: 4; sid:1000569;)

alert tcp any any -> $EXTERNAL_NET 25 \
(msg: "VIRUS - MyDoom/MIMAIL.R Outbound 2"; content:
"Mail transaction
failed"; \
content: "Content-Type\: application/octet-stream"; \
content: "Content-Transfer-Encoding\: base64"; \
nocase; rev: 4; sid:1000570;)

alert tcp any any -> $EXTERNAL_NET 25 (msg: "VIRUS -
MyDoom/MIMAIL.R
Outbound 3"; \
content: "The message contains Unicode characters"; \
content: "Content-Type\: application/octet-stream"; \
content: "Content-Transfer-Encoding\: base64"; \
nocase; rev: 4; sid:1000571;)


alert tcp any any -> $EXTERNAL_NET 25 (msg: "VIRUS -
MyDoom/MIMAIL.R
Variant Outbound";
 content: "We are sorry your UTF-8 encoding is not
supported by the
server"; nocase; rev: 1; sid:1000572;)
------------------------------------------------------


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/




-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

Re: Snort-users] Here are my updated MyDoom/MIMAIL.R and Variant signatures for SN ORT (Feb 02)
- RE: Snort-users] Here are my updated MyDoom/MIMAIL.R and Variant signatures for Sam Evans (Jan 31)