Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bripia worm

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 02 Feb 2005 21:08:33 -0500
At 08:11 PM 2/2/2005, Cesar Sanabria Pineda wrote:

Hi, i have a virus spreading through messenger it seems like
bropia.worm, is there any snort rule to detect this worm?
None that I've seen, but you might be able to hack the MSN messenger file-transfer rule from bleeding snort (sid: 2001241) to detect any attempts to MSN a .pif file by adding to the end.. "content:".pif"; distance:40;"
alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"BLEEDING-EDGE CHAT MSN PIF file transfer request"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; distance:0; nocase; content:"text/x-msmsgsinvite"; distance:0; nocase; content:"Application-Name|3A|"; content:"File Transfer"; distance:0; content:".pif"; distance:40; nocase; classtype:policy-violation; priority:1; sid:xxxx; rev:1;)
Note: I've mangled the sid above to avoid re-use of the bleeding-edge SID for the original rule, please pick a SID in the 1,000,000+ range.
Disclaimer: I've not tested this, as I don't have this worm roaming my network. I've also never tested the original rule, this is entirely a theory anyway. 


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: